Download

Werk #9522: Fix Site-Passwords in GET parameters

Component Firmware
Title Fix Site-Passwords in GET parameters
Date Mar 31, 2023
Appliance Version 1.6.4
Level Trivial Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required

Prior to this Werk when creating a Site with webconf the Password for administrator and the Password specified in Authentication via Password were submitted as GET parameters and therefore logged in the Apache access log.

We found this vulnerability internally.

Manual Steps: You should change all passwords set via webconf.

Vulnerability Management: We have rated the issue with a CVSS Score of 5.5 (Medium) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. We assigned CVE-2023-22307 to this vulnerability.

Changes: This Werk changes the HTTP method of these forms to POST.

To the list of all Werks

See it yourself

Try out Checkmk now.

Get the Raw Edition Free and open source monitoring
Play with Checkmk Try Checkmk without installing
Checkmk Conference #10

Join us for the highlight of the year when the Checkmk Community gets together in Munich from June 11-13.

Register now