Werk #16218: Fix 2FA bypass via RestAPI

Component Setup
Title Fix 2FA bypass via RestAPI
Date Sep 9, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p16 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p34 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Previous to this Werk the RestAPI did not properly check if a user that is supposed to authenticated with multiple factors indeed authenticated fully.

This issue was found during internal review.

Affected Versions:

  • 2.3.0
  • 2.2.0

Vulnerability Management:

We have rated the issue with a CVSS Score of 9.2 Critical (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) and assigned CVE-2024-8606.

To the list of all Werks