Werk #14291: NagVis: Updated to 1.9.34 (Fix security issues)

Component Other components
Title NagVis: Updated to 1.9.34 (Fix security issues)
Date Aug 29, 2022
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p11 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p28 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.6.0p30 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

This update of NagVis fixes the following security issues:

  1. Fix SSRF (triggerable by admin users)

An administrative user with access to the global options, could perform a server-side request forgery.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L (8.2)

  1. Fix arbitrary file read

An authenticated attacker can read arbitrary files with the permissions of the web server user.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L (9.1)

  1. Fix type juggling vulnerability in cookie hash processing

An attacker could bypass the authentication and gain access to the NagVis component of checkmk.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N (3.7)

To the list of all Werks