back to website

Werk #17808: Prevent session from loosing logged out state

Component User interface
Title Prevent session from loosing logged out state
Date Mar 17, 2025
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.5.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0b3 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p30 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p41 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

At the beginning of an authenticated request we load the session information for that session from disk and at the end of the session these information (maybe modified) are written back to disk again. If a request takes more time and in that time the session was logged out (e.g. Other browser tab) the long lasting request will overwrite the logout again.

An attacker that got access to a valid session could therefore circumvent logout attempts from the victim. Though sessions have a default maximum lifetime (24h) so the session will eventually be destroyed after some time.

This issue was reported externally to us.

Affected Versions:

  • 2.4.0 (beta)
  • 2.3.0
  • 2.2.0
  • 2.1.0 (EOL)

Mitigations:

If you cannot update in time we recommend to decrease the Maximum session duration.

Indicators of Compromise:

None.

Vulnerability Management:

We have rated the issue with a CVSS Score of 2.3 Low (CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) and assigned CVE-2025-2596.

To the list of all Werks

The Checkmk logo (formerly known as Check_MK) is a trademark of Checkmk GmbH. ©2025 Checkmk GmbH. All rights reserved.

Join our hybrid Monitoring Community event from May 20-22 in Munich and learn more about the latest Checkmk features and our roadmap at the Checkmk Conference #11

Register now