Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #17013: Livestatus injection in mknotifyd

Component Notifications
Title Livestatus injection in mknotifyd
Date Jul 8, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1 Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT
2.3.0p11 Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT
2.2.0p32 Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT
2.1.0p47 Checkmk Pro, Checkmk Ultimate MT

Before this Werk a malicious notification sent via mknotifyd could allow an attacker to send arbitrary livestatus commands.

With this Werk livestatus escaping was added to the relevant functions.

This issue was found during internal review.

Affected Versions:

  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.0 (EOL)

Vulnerability Management:

We have rated the issue with a CVSS Score of 6.5 Medium (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) and assigned CVE-2024-6542.

To the list of all Werks