Werk #16221: Livestatus Injections
Component | Setup | ||||||||
Title | Livestatus Injections | ||||||||
Date | Nov 15, 2023 | ||||||||
Level | Trivial Change | ||||||||
Class | Security Fix | ||||||||
Compatibility | Compatible - no manual interaction needed | ||||||||
Checkmk versions & editions |
|
Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI.
We found this vulnerability internally.
Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0
Vulnerability Management: We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H. We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities.
Changes: This Werk strips the relevant parameters of newlines.