Werk #16227: Disabled automation users could still authenticate
| Component | Setup |
| Title | Disabled automation users could still authenticate |
| Date | Dec 11, 2023 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.1.0p38 2.2.0p18 2.3.0b1 |
| Level | Trivial Change |
| Class | Security Fix |
| Compatibility | Incompatible - Manual interaction might be required |
Prior to this Werk an automation user whose password was disabled also described as "disable the login to this account" was still able to authenticate. The information that a user was disabled was not checked for automation users.
We found this vulnerability internally.
Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 * 1.6.0 * 1.5.0 (probably older versions as well)
Mitigations: If the need arises to block an automation user one can change the password or remove that user from the system.
Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We assigned CVE-2023-31211 to this vulnerability.
Changes: This Werk adds a check for the disabled information. During update you will be warned if a automation user is currently disabled.
