Download

Werk #9522: Fix Site-Passwords in GET parameters

Komponente Firmware
Titel Fix Site-Passwords in GET parameters
Datum 31.03.2023
Appliance Version 1.6.4
Level Kleine Änderung
Klasse Bugfix
Kompatibilität Inkompatibel - Manuelle Interaktion könnte erforderlich sein

Prior to this Werk when creating a Site with webconf the Password for administrator and the Password specified in Authentication via Password were submitted as GET parameters and therefore logged in the Apache access log.

We found this vulnerability internally.

Manual Steps: You should change all passwords set via webconf.

Vulnerability Management: We have rated the issue with a CVSS Score of 5.5 (Medium) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. We assigned CVE-2023-22307 to this vulnerability.

Changes: This Werk changes the HTTP method of these forms to POST.

Zur Liste aller Werks

Überzeugen Sie sich selbst

Testen Sie Checkmk jetzt.

Raw Edition herunterladen Kostenloses Open-Source-Monitoring
Play with Checkmk Checkmk ohne Installation ausprobieren
checkmk_conference_10.png

Das Highlight des Jahres: Vom 11. - 13. Juni 2024 kommt die Checkmk Community in München zusammen.

Register now