back to website

Werk #11263: Fix piggyback path traversal

Component Core & setup
Title Fix piggyback path traversal
Date Aug 14, 2020
Level Prominent Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.0.0i1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.6.0p16 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.5.0p25 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

In previous versions it was possible to create files in the querying Checkmk site by modifying or extending an agent on a monitored system.

So an attacker who gained rights on a monitored system to extend the agent could create and modify files in the monitoring Checkmk site with certain modifications of the agent. The creation or modification of files in the Checkmk site was done with rights of the Checkmk site user.

This problem is now solved by a better validation of hostnames of piggybacked hosts. With this change only these characters are allowed in Piggybacked hostnames: 0-9a-zA-Z_.-. These are exactly the same characters that Checkmk normally allows when creating hostnames. A special feature of Piggyback hostnames is that all illegal hostnames are replaced by "_".

This change means that Piggyback hosts created with now invalid characters will have to be created differently after this change so that they can continue to be monitored.

To the list of all Werks

The Checkmk logo (formerly known as Check_MK) is a trademark of Checkmk GmbH. ©2025 Checkmk GmbH. All rights reserved.

Join our hybrid Monitoring Community event from May 20-22 in Munich and learn more about the latest Checkmk features and our roadmap at the Checkmk Conference #11

Register now