Werk #15890: user: read permissions are now checked in the request schema before delete/edit/create user
| Component | REST API |
| Title | user: read permissions are now checked in the request schema before delete/edit/create user |
| Date | Jun 15, 2023 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.3.0b1 2.2.0p5 |
| Level | Trivial Change |
| Class | Security Fix |
| Compatibility | Incompatible - Manual interaction might be required |
Prior to this Werk an authenticated user was able to enumerate username with the RestAPI.
We found this vulnerability internally.
Affected Versions:
- 2.2.0
Indicators of Compromise: You can check for a unusual amount of requests to the user_config RestAPI endpoints.
Vulnerability Management: We have rated the issue with a CVSS Score of 4.4 (Medium) with the following CVSS vector: .
We assigned CVE-2023-22359 to this vulnerability.
Changes: When calling either of the following endpoints, a 401 will be returned if the client user doesn't have permission to read users. POST /domain-types/user_config/collections/all PUT /objects/user_config/{username} DELETE /objects/user_config/{username}