Werk #13982: Reading host_config's will now honour contact groups

Component REST API
Title Reading host_config's will now honour contact groups
Date Apr 21, 2023
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.3.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b8 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p28 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk it was possible for a user to read a hosts configuration (using GET on /objects/host_config/<host_name>) even if that user was not in the contact group of that host.

The REST-API will correctly check a users permissions before serving a response in that case and report a 403 error if the user cannot access the host's config.

Affected Versions: * 2.2.0 (beta) * 2.1.0

Vulnerability Management: We calculated a CVSS 3.1 score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N We assigned CVE-2023-22348 to this vulnerability.

We found this vulnerability internally and have no indication of any exploitation.

To the list of all Werks