Werk #16227: Disabled automation users could still authenticate

Component Setup
Title Disabled automation users could still authenticate
Date Dec 11, 2023
Checkmk Version 2.3.0b1 2.2.0p18 2.1.0p38
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required
Affected Editions
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p18 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p38 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk an automation user whose password was disabled also described as "disable the login to this account" was still able to authenticate. The information that a user was disabled was not checked for automation users.

We found this vulnerability internally.

Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 * 1.6.0 * 1.5.0 (probably older versions as well)

Mitigations: If the need arises to block an automation user one can change the password or remove that user from the system.

Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We assigned CVE-2023-31211 to this vulnerability.

Changes: This Werk adds a check for the disabled information. During update you will be warned if a automation user is currently disabled.

To the list of all Werks