Branch: refs/heads/2.1.0
Home: https://github.com/Checkmk/checkmk
Commit: e9dfb2ad0f78397b0345d15d5eee934d5cc1e190
https://github.com/Checkmk/checkmk/commit/e9dfb2ad0f78397b0345d15d5eee934d5…
Author: Maximilian Wirtz <maximilian.wirtz(a)checkmk.com>
Date: 2024-06-14 (Fri, 14 Jun 2024)
Changed paths:
A .werks/17009
M cmk/gui/plugins/views/inventory.py
Log Message:
-----------
17009 SEC XSS in inventory tree
Prior to this Werk an attacker with control over an agent was able to inject HTML in the output which was then rendered in the inventory tree of the coresponding host.
This problem exists only if the rule *Do hardware/software inventory* is set for the compromised agent/host.
We found this vulnerability internally.
**Affected Versions:**
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0
**Mitigations**:
If you are unable to patch you can disable inventory scanning for all hosts.
**Indicators of Compromise:**
You can check `var/check_mk/inventory/` for inventories with embedded HTML.
This only indicates current 'attacks'.
Previous attacks (where the agent does not output the payload anymore) are not discoverable after some time (caching).
**Vulnerability Management:**
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L`
We assigned CVE-2024-5741 to this vulnerability.
**Changes:**
This Werk adds sanitation to the HTML output.
Change-Id: I5b93ac74128384c910fb17c54906bd62ee785d34
To unsubscribe from these emails, change your notification settings at https://github.com/Checkmk/checkmk/settings/notifications
Branch: refs/heads/master
Home: https://github.com/Checkmk/checkmk
Commit: 7b72dc399ddb5eadf631ca81b86f183815c8400c
https://github.com/Checkmk/checkmk/commit/7b72dc399ddb5eadf631ca81b86f18381…
Author: Sven Panne <sven.panne(a)checkmk.com>
Date: 2024-06-14 (Fri, 14 Jun 2024)
Changed paths:
M packages/livestatus/include/livestatus/LogCache.h
M packages/livestatus/src/LogCache.cc
M packages/livestatus/src/Logfile.cc
Log Message:
-----------
Refactoring: Do not construct invalid Logfile instances
Change-Id: Id31945b6f51fb17a38c34748667c2a10a0843fed
To unsubscribe from these emails, change your notification settings at https://github.com/Checkmk/checkmk/settings/notifications
Branch: refs/heads/2.2.0
Home: https://github.com/Checkmk/checkmk
Commit: 74dd5ce0dd6947930e05a3ece2f62e790e1646d0
https://github.com/Checkmk/checkmk/commit/74dd5ce0dd6947930e05a3ece2f62e790…
Author: Maximilian Wirtz <maximilian.wirtz(a)checkmk.com>
Date: 2024-06-14 (Fri, 14 Jun 2024)
Changed paths:
A .werks/17009
M cmk/gui/views/inventory/__init__.py
Log Message:
-----------
17009 SEC XSS in inventory tree
Prior to this Werk an attacker with control over an agent was able to inject HTML in the output which was then rendered in the inventory tree of the coresponding host.
This problem exists only if the rule *Do hardware/software inventory* is set for the compromised agent/host.
We found this vulnerability internally.
**Affected Versions:**
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0
**Mitigations**:
If you are unable to patch you can disable inventory scanning for all hosts.
**Indicators of Compromise:**
You can check `var/check_mk/inventory/` for inventories with embedded HTML.
This only indicates current 'attacks'.
Previous attacks (where the agent does not output the payload anymore) are not discoverable after some time (caching).
**Vulnerability Management:**
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L`
We assigned CVE-2024-5741 to this vulnerability.
**Changes:**
This Werk adds sanitation to the HTML output.
Change-Id: I5b93ac74128384c910fb17c54906bd62ee785d34
To unsubscribe from these emails, change your notification settings at https://github.com/Checkmk/checkmk/settings/notifications
Branch: refs/heads/master
Home: https://github.com/Checkmk/checkmk
Commit: 99edb493b66ca7b4e80cfeacc38e095ca9fa6d99
https://github.com/Checkmk/checkmk/commit/99edb493b66ca7b4e80cfeacc38e095ca…
Author: Anastasiia Shevchuk <anastasiia.shevchuk(a)checkmk.com>
Date: 2024-06-14 (Fri, 14 Jun 2024)
Changed paths:
M tests/gui_e2e/test_asvs.py
M tests/gui_e2e/test_change_password.py
A tests/testlib/playwright/pom/change_password.py
Log Message:
-----------
gui_e2e: create PoM object for change password page
Add a new object for the Change Password page and refactor the
tests for this page accordingly (CMK-17723)
Change-Id: Ic01e48bade446bdb3c4e92225e08f776ccdd403f
To unsubscribe from these emails, change your notification settings at https://github.com/Checkmk/checkmk/settings/notifications
Branch: refs/heads/2.3.0
Home: https://github.com/Checkmk/checkmk
Commit: 5ddfcaa66017b4dfed3a60892d034d547eae9a1f
https://github.com/Checkmk/checkmk/commit/5ddfcaa66017b4dfed3a60892d034d547…
Author: Timotheus Bachinger <timotheus.bachinger(a)checkmk.com>
Date: 2024-06-14 (Fri, 14 Jun 2024)
Changed paths:
A .werks/16246.md
M cmk/plugins/cmctc/agent_based/cmctc_lcp.py
Log Message:
-----------
16246 FIX Rittal temperature check regression
You're affected if you're using rittal temperature checks under 2.3.0.
This regression exists since 2.3.0b1 and creates the following crash:
```
File "/omd/sites/YOURSITE/lib/python3/cmk/plugins/lib/temperature.py", line 319, in check_temperature
raise ValueError (Cannot compute trend. Either specify both variables 'unique_name' and 'value_store' or none.)
```
Change-Id: I90cd4c1f46dd1f7301fb5024a1a4825262ee0da9
JIRA-Ref: SUP-18502
To unsubscribe from these emails, change your notification settings at https://github.com/Checkmk/checkmk/settings/notifications