Werk #17099: Agent updater exposes sensitive data

Component	Agent bakery
Title	Agent updater exposes sensitive data
Date	Apr 30, 2025
Level	Trivial Change
Class	Security Fix
Compatibility	Compatible - no manual interaction needed
Checkmk versions & editions	2.5.0b1 Not yet released Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME) 2.4.0p1 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME) 2.3.0p32 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME) 2.2.0p42 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Prior to this Werk, installation candidates for "Automatic Agent Updates" on Linux and Solaris hosts were downloaded and stored with too broad permissions, potentially exposing secrets in the configuration to other users on the host. Permissions for the installation candidate package are now set more strictly.

This issue affects users who have configured "Automatic Agent Updates" for Linux and Solaris hosts.

The issue was found during internal review.

Affected Versions:

• 2.4.0
• 2.3.0
• 2.2.0
• 2.1.0 (EOL)

Mitigations:

If updating is not possible, consider disabling "Automatic Agent Updates".

Vulnerability Management:

We have rated the issue with a CVSS Score of 4.3 Medium (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N) and assigned CVE-2025-32915.

To the list of all Werks