Werk #13982: Reading host_config's will now honour contact groups

Component REST API
Title Reading host_config's will now honour contact groups
Date Apr 21, 2023
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.3.0b1 2.2.0b8 2.1.0p28
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed

Prior to this Werk it was possible for a user to read a hosts configuration (using GET on '/objects/host_config/') even if that user was not in the contact group of that host.

The REST-API will correctly check a users permissions before serving a response in that case and report a 403 error if the user cannot access the host's config.

Affected Versions:

  • 2.2.0 (beta)
  • 2.1.0

Vulnerability Management: We calculated a CVSS 3.1 score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N We assigned CVE-2023-22348 to this vulnerability.

We found this vulnerability internally and have no indication of any exploitation.

To the list of all Werks