back to website

Werk #17780: Fix redaction of remote site secrets in log messages

Component User interface
Title Fix redaction of remote site secrets in log messages
Date Mar 12, 2025
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.5.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p29 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p41 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

If the log level for Web is set to debug and the site has remote sites, the secrets used to authenticate against the remote sites were logged to var/log/web.log.

This issue was found during internal review.

Affected Versions:

  • 2.3.0
  • 2.2.0
  • 2.1.0 (EOL)

Mitigations:

Change the log level to verbose or less.

Indicators of Compromise:

Check var/log/web.log for messages beginning with Site states:

Vulnerability Management:

We have rated the issue with a CVSS Score of 7.1 High (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H) and assigned CVE-2025-2092.

To the list of all Werks