Werk #16227: Disabled automation users could still authenticate

Component Setup
Title Disabled automation users could still authenticate
Date Dec 11, 2023
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.1.0p38 2.2.0p18 2.3.0b1
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required

Prior to this Werk an automation user whose password was disabled also described as "disable the login to this account" was still able to authenticate. The information that a user was disabled was not checked for automation users.

We found this vulnerability internally.

Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 * 1.6.0 * 1.5.0 (probably older versions as well)

Mitigations: If the need arises to block an automation user one can change the password or remove that user from the system.

Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We assigned CVE-2023-31211 to this vulnerability.

Changes: This Werk adds a check for the disabled information. During update you will be warned if a automation user is currently disabled.

To the list of all Werks