Werk #16221: Livestatus Injections
Component | Setup |
Title | Livestatus Injections |
Date | Nov 15, 2023 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk Version | 2.1.0p37 2.2.0p15 2.3.0b1 |
Level | Trivial Change |
Class | Security Fix |
Compatibility | Compatible - no manual interaction needed |
Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI.
We found this vulnerability internally.
Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0
Vulnerability Management: We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H. We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities.
Changes: This Werk strips the relevant parameters of newlines.