Werk #17013: Livestatus injection in mknotifyd

Component Notifications
Title Livestatus injection in mknotifyd
Date Jul 8, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p11 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p32 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p47 Checkmk Enterprise (CEE), Checkmk MSP (CME)

Before this Werk a malicious notification sent via mknotifyd could allow an attacker to send arbitrary livestatus commands.

With this Werk livestatus escaping was added to the relevant functions.

This issue was found during internal review.

Affected Versions:

  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.0 (EOL)

Vulnerability Management:

We have rated the issue with a CVSS Score of 6.5 Medium (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) and assigned CVE-2024-6542.

To the list of all Werks