Werk #15890: user: read permissions are now checked in the request schema before delete/edit/create user

Component REST API
Title user: read permissions are now checked in the request schema before delete/edit/create user
Date Jun 15, 2023
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.3.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p5 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Prior to this Werk an authenticated user was able to enumerate username with the RestAPI.

We found this vulnerability internally.

Affected Versions: * 2.2.0

Indicators of Compromise: You can check var/log/apache/access_log for a unusual amount of requests to the user_config RestAPI endpoints.

Vulnerability Management: We have rated the issue with a CVSS Score of 4.4 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

We assigned CVE-2023-22359 to this vulnerability.

Changes: When calling either of the following endpoints, a 401 will be returned if the client user doesn't have permission to read users. POST /domain-types/user_config/collections/all PUT /objects/user_config/{username} DELETE /objects/user_config/{username}

To the list of all Werks