[checkmk-commits] [Checkmk/checkmk] bdb4f2: 17096 SEC CSRF token leaked in URL parameters (CVE...

Branch: refs/heads/master Home: https://github.com/Checkmk/checkmk Commit: bdb4f23411f1471766df64294b2ce70db826ee8e https://github.com/Checkmk/checkmk/commit/bdb4f23411f1471766df64294b2ce70db… Author: Hannes Rantzsch <hannes.rantzsch(a)checkmk.com> Date: 2024-10-07 (Mon, 07 Oct 2024) Changed paths: A .werks/17096.md Log Message: ----------- 17096 SEC CSRF token leaked in URL parameters (CVE-2024-38863) Before this Werk, the CSRF token was mistakenly included as a query parameter in certain URLs when navigating Checkmk, which could result in the token being saved in bookmarks. This increased the risk of unintentional exposure, such as when sharing bookmarks with other users. The issue has been resolved. While storing or unintentionally exposing the token doesn't present an immediate security threat, it could potentially enable phishing attacks targeting the specific user for the duration of the token's validity. In Checkmk, CSRF tokens remain valid for the session's duration (configured under Global settings > Session management). This issue was found during internal review. *Affected Versions*: * 2.3.0 * 2.2.0 * 2.1.0 *Mitigations*: Avoid sharing or exposing URLs that contain the query parameter `csrf_token=`. *Vulnerability Management*: We have rated the issue with a CVSS Score of 2.0 Low (`CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L`) and assigned `CVE-2024-38863`. CMK-18866 Change-Id: Ica3e20c5dd28e306a95e99d98ec0e78d23b11a22 Commit: c5cc3ce47bb1d609eb3ac9192bb7539e926ef291 https://github.com/Checkmk/checkmk/commit/c5cc3ce47bb1d609eb3ac9192bb7539e9… Author: Hannes Rantzsch <hannes.rantzsch(a)checkmk.com> Date: 2024-10-07 (Mon, 07 Oct 2024) Changed paths: A .werks/17095.md M cmk/gui/watolib/host_attributes.py M cmk/gui/watolib/hosts_and_folders.py M tests/unit/cmk/gui/watolib/test_hosts_and_folders.py Log Message: ----------- 17095 SEC Sanitize Host and Folder Credentials in Audit Log CVE-2024-38862 CMK-17985 Change-Id: I4f5fab7932b45dd3f152426f8dc15252437f0f37 Compare: https://github.com/Checkmk/checkmk/compare/a517ba8607b0...c5cc3ce47bb1 To unsubscribe from these emails, change your notification settings at https://github.com/Checkmk/checkmk/settings/notifications