Werk #17096: CSRF token leaked in URL parameters (CVE-2024-38863)

Component Setup
Title CSRF token leaked in URL parameters (CVE-2024-38863)
Date Oct 7, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p18 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p35 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p48 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Before this Werk, the CSRF token was mistakenly included as a query parameter in certain URLs when navigating Checkmk, which could result in the token being saved in bookmarks. This increased the risk of unintentional exposure, such as when sharing bookmarks with other users. The issue has been resolved.

While storing or unintentionally exposing the token doesn't present an immediate security threat, it could potentially enable phishing attacks targeting the specific user for the duration of the token's validity. In Checkmk, CSRF tokens remain valid for the session's duration (configured under Global settings > Session management).

This issue was found during internal review.

Affected Versions:

  • 2.3.0
  • 2.2.0
  • 2.1.0

Mitigations:

Avoid sharing or exposing URLs that contain the query parameter csrf_token=.

Vulnerability Management:

We have rated the issue with a CVSS Score of 2.0 Low (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L) and assigned CVE-2024-38863.

To the list of all Werks