Werk #17096: CSRF token leaked in URL parameters (CVE-2024-38863)
| Component | Setup | ||||||||
| Title | CSRF token leaked in URL parameters (CVE-2024-38863) | ||||||||
| Date | Oct 7, 2024 | ||||||||
| Level | Trivial Change | ||||||||
| Class | Security Fix | ||||||||
| Compatibility | Compatible - no manual interaction needed | ||||||||
| Checkmk versions & editions |
|
Before this Werk, the CSRF token was mistakenly included as a query parameter in certain URLs when navigating Checkmk, which could result in the token being saved in bookmarks. This increased the risk of unintentional exposure, such as when sharing bookmarks with other users. The issue has been resolved.
While storing or unintentionally exposing the token doesn't present an immediate security threat, it could potentially enable phishing attacks targeting the specific user for the duration of the token's validity. In Checkmk, CSRF tokens remain valid for the session's duration (configured under Global settings > Session management).
This issue was found during internal review.
Affected Versions:
- 2.3.0
- 2.2.0
- 2.1.0
Mitigations:
Avoid sharing or exposing URLs that contain the query parameter csrf_token=.
Vulnerability Management:
We have rated the issue with a CVSS Score of 2.0 Low (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L) and assigned CVE-2024-38863.