Werk #17105: Fix secrets added to URL query params
Component | Setup | ||||||
Title | Fix secrets added to URL query params | ||||||
Date | Aug 7, 2025 | ||||||
Level | Trivial Change | ||||||
Class | Security Fix | ||||||
Compatibility | Compatible - no manual interaction needed | ||||||
Checkmk versions & editions |
|
Previously, under specific conditions (toggling page navigation after receiving validation errors when submitting a form), passwords and other secrets entered in the form could be exposed in URL query parameters. Importantly, this did not affect any stored secrets; only the data just entered by the user was at risk. This could result in sensitive data being leaked, for example, to server logs.
Such sensitive information is now excluded from the URL query parameters.
This issue was reported to us by an external party.
Affected Versions:
- 2.4.0
- 2.3.0
- 2.2.0
- 2.1.0 (EOL)
Vulnerability Management:
We have rated the issue with a CVSS Score of 1.0 Low (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
) and assigned CVE-2025-32916
.