Werk #16221: Livestatus Injections

Component Setup
Title Livestatus Injections
Date Nov 15, 2023
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.1.0p37 2.2.0p15 2.3.0b1
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed

Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI.

We found this vulnerability internally.

Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0

Vulnerability Management: We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H. We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities.

Changes: This Werk strips the relevant parameters of newlines.

To the list of all Werks