[checkmk-commits] [Checkmk/checkmk] 73081b: 17096 SEC CSRF token leaked in URL parameters (CVE...

Branch: refs/heads/2.2.0 Home: https://github.com/Checkmk/checkmk Commit: 73081bcdd27ad90583d520f3fc67e30c2a3fb642 https://github.com/Checkmk/checkmk/commit/73081bcdd27ad90583d520f3fc67e30c2… Author: Hannes Rantzsch <hannes.rantzsch(a)checkmk.com> Date: 2024-10-07 (Mon, 07 Oct 2024) Changed paths: A .werks/17096 M cmk/gui/htmllib/html.py M cmk/gui/utils/csrf_token.py M cmk/gui/utils/urls.py M cmk/gui/watolib/hosts_and_folders.py M web/htdocs/js/modules/ajax.ts M web/htdocs/js/modules/forms.ts Log Message: ----------- 17096 SEC CSRF token leaked in URL parameters (CVE-2024-38863) Before this Werk, the CSRF token was mistakenly included as a query parameter in certain URLs when navigating Checkmk, which could result in the token being saved in bookmarks. This increased the risk of unintentional exposure, such as when sharing bookmarks with other users. The issue has been resolved. While storing or unintentionally exposing the token doesn't present an immediate security threat, it could potentially enable phishing attacks targeting the specific user for the duration of the token's validity. In Checkmk, CSRF tokens remain valid for the session's duration (configured under Global settings > Session management). This issue was found during internal review. *Affected Versions*: * 2.3.0 * 2.2.0 * 2.1.0 *Mitigations*: Avoid sharing or exposing URLs that contain the query parameter `csrf_token=`. *Vulnerability Management*: We have rated the issue with a CVSS Score of 2.0 Low (`CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L`) and assigned `CVE-2024-38863`. CMK-18866 Change-Id: I60bd4f0a674c12c198dfed88aee0bb392971cea7 Commit: e176f520feaf70551cd267160af3fa0a0892bba9 https://github.com/Checkmk/checkmk/commit/e176f520feaf70551cd267160af3fa0a0… Author: Hannes Rantzsch <hannes.rantzsch(a)checkmk.com> Date: 2024-10-07 (Mon, 07 Oct 2024) Changed paths: A .werks/17095 M cmk/gui/watolib/host_attributes.py M cmk/gui/watolib/hosts_and_folders.py M tests/unit/cmk/gui/watolib/test_hosts_and_folders.py Log Message: ----------- 17095 SEC Sanitize Host and Folder Credentials in Audit Log CVE-2024-38862 CMK-17985 Change-Id: I4f5fab7932b45dd3f152426f8dc15252437f0f37 Compare: https://github.com/Checkmk/checkmk/compare/36a6005a638f...e176f520feaf To unsubscribe from these emails, change your notification settings at https://github.com/Checkmk/checkmk/settings/notifications