Werk #14924: Fix CSRF in add-visual endpoint

Component Setup
Title Fix CSRF in add-visual endpoint
Date Dec 1, 2022
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p18 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p32 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Previously to this Werk an attacker could utilize a cross site request forgery vulnerability in Checkmk to add elements to visuals (e.g. dashboards, reports, etc.).

This vulnerability was identified through a commissioned penetration test conducted by SSE – Secure Systems Engineering GmbH (Jan Hörsch).

Mitigations: If you are unable to update in a timely manner you could remove the permission Customize dashboards and use them and Customize reports and use them from the used roles. So the users and admins cannot edit dashboards and reports anymore. Adding a Custom url with a malicious URL is blocked by the Content-Security-Policy.

All versions of Checkmk including (1.6) are subject to this vulnerability.

We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L. We have assigned CVE-2022-48320 for this issue.

To the list of all Werks