Werk #17984: Path-Traversal in report scheduler
| Component | Reporting & availability | ||||||
| Title | Path-Traversal in report scheduler | ||||||
| Date | Aug 13, 2025 | ||||||
| Level | Trivial Change | ||||||
| Class | Security Fix | ||||||
| Compatibility | Compatible - no manual interaction needed | ||||||
| Checkmk versions & editions |
|
Previous to this Werk it was possible that an authenticated user could perform Path-traversal
attacks against the site's local file directory by use of the report scheduler. This issue was made
possible due to insufficient escaping of macros which could allow an attacker to make use of a
generated .mk file to overide existing .mk files.
Performing such an action could allow an attacker to break a site's configurations however as an
attacker cannot break out of the predefined fields within the generated .mk file, this can only
be used to DoS / break an affected site.
We thank Lisa Gnedt (SBA Research) for reporting this issue.
Affected Versions:
- 2.4.0
- 2.3.0
- 2.2.0
- 2.1.0 (EOL)
Mitigations:
If you cannot update, it is advised that both the following roles Manage Own Scheduled Reports
which by default is set to yes and the Manage All Scheduled Reports both be set to no for
non-admin users within the site.
Furthermore, if you believe you may have been affected by this vulnerability that you conduct a manual review of all scheduled reports within your site and remove any schedules that contain titles with directory information.
Indicators of Compromise:
Checkmk will always generate both an .mk and .pdf file pair for each scheduled report.
Therefore, any affected path within the site's file system can be identified by existence .pdf /
.mk report file pairs.
Vulnerability Management:
We have rated the issue with a CVSS Score of 7.1 High
(CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N) and assigned CVE-2025-39664.