Werk #16227: Disabled automation users could still authenticate
Component | Setup | ||||||||
Title | Disabled automation users could still authenticate | ||||||||
Date | Dec 11, 2023 | ||||||||
Level | Trivial Change | ||||||||
Class | Security Fix | ||||||||
Compatibility | Incompatible - Manual interaction might be required | ||||||||
Checkmk versions & editions |
|
Prior to this Werk an automation user whose password was disabled also described as "disable the login to this account" was still able to authenticate. The information that a user was disabled was not checked for automation users.
We found this vulnerability internally.
Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 * 1.6.0 * 1.5.0 (probably older versions as well)
Mitigations: If the need arises to block an automation user one can change the password or remove that user from the system.
Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We assigned CVE-2023-31211 to this vulnerability.
Changes: This Werk adds a check for the disabled information. During update you will be warned if a automation user is currently disabled.