Werk #15200: Restrict check_sftp local paths
Component | Checks & agents | ||||||||
Title | Restrict check_sftp local paths | ||||||||
Date | May 16, 2024 | ||||||||
Level | Trivial Change | ||||||||
Class | Security Fix | ||||||||
Compatibility | Incompatible - Manual interaction might be required | ||||||||
Checkmk versions & editions |
|
Prior to this Werk, check_sftp
did not restrict the local paths that for files to be uploaded and downloaded.
This allowed users with the permissions to configure check_sftp
to read or write files within the Checkmk site home.
The local paths are now restricted to the folder var/check_mk/active_checks/check_sftp
within the Checkmk site home.
As a consequence, the local paths in existing configurations will now be interpreted as relative to that folder.
Since a test file is created if the local file to upload doesn't exist, the check will continue to work, but it will not pick up files from the old location.
Similarly, the downloaded files will be stored in a new location.
This issue was found during internal review.
If you want a hot-fix in existing versions and are not using check_sftp
, you can remove the executable (/omd/sites/[SITE_ID]/lib/nagios/plugins/check_sftp
) from your installation.
Affected Versions:
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.0 (EOL)
Vulnerability Management:
We have rated the issue with a CVSS Score of 8.8 High with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
and assigned CVE CVE-2024-28826
.