[checkmk-commits] [Checkmk/checkmk] bcf624: 13982 SEC Reading host_config's will now honour co...

Branch: refs/heads/2.1.0 Home: https://github.com/Checkmk/checkmk Commit: bcf6242f413e02037aaf803ccae7518b28ebc111 https://github.com/Checkmk/checkmk/commit/bcf6242f413e02037aaf803ccae7518b2… Author: Teresa Siegmantel &lt;teresa.siegmantel(a)tribe29.com&gt; Date: 2023-05-12 (Fri, 12 May 2023) Changed paths: A .werks/13982 M cmk/gui/fields/definitions.py M cmk/gui/plugins/openapi/endpoints/acknowledgement.py M cmk/gui/plugins/openapi/endpoints/downtime.py M cmk/gui/plugins/openapi/endpoints/host_config.py M cmk/gui/plugins/openapi/endpoints/host_internal.py M cmk/gui/plugins/openapi/endpoints/service.py M cmk/gui/plugins/openapi/endpoints/service_discovery.py M cmk/gui/plugins/openapi/restful_objects/request_schemas.py Log Message: ----------- 13982 SEC Reading host_config's will now honour contact groups Prior to this Werk it was possible for a user to read a hosts configuration (using GET on '/objects/host_config/<host_name>') even if that user was not in the contact group of that host. The REST-API will correctly check a users permissions before serving a response in that case and report a 403 error if the user cannot access the host's config. <b>Affected Versions</b>: LI: 2.2.0 (beta) LI: 2.1.0 <b>Vulnerability Management</b>: We calculated a CVSS 3.1 score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N We assigned CVE-2023-22348 to this vulnerability. We found this vulnerability internally and have no indication of any exploitation. Change-Id: Id04281db696467ae11ee1d5ce3d172c1bed71a93