Branch: refs/heads/2.0.0
Home:
https://github.com/tribe29/checkmk
Commit: 6f14b34db40105e76752c8583c1128dc9d213d94
https://github.com/tribe29/checkmk/commit/6f14b34db40105e76752c8583c1128dc9…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-12-14 (Wed, 14 Dec 2022)
Changed paths:
A .werks/14924
M cmk/gui/visuals.py
Log Message:
-----------
14924 SEC Fix CSRF in add-visual endpoint
Previously to this Werk an attacker could utilize a cross site request forgery
vulnerability in Checkmk to add elements to visuals (e.g. dashboards, reports, etc.).
<b>Mitigations:</b>
If you are unable to update in a timely manner you could remove the permission
<tt>Customize dashboards and use them</tt> and <tt>Customize reports and
use them</tt> from the used roles. So the users and admins cannot edit dashboards
and reports anymore.
Adding a <tt>Custom url</tt> with a malicious URL is blocked by the
Content-Security-Policy.
All versions of Checkmk including (1.6) are subject to this vulnerability.
This vulnerability was found through a self commissioned Penetration test.
We have rated the issue with a CVSS Score of 4.6 (Medium) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L</tt> A CVE has been
requested.
CMK-11705
Change-Id: If71e0347339eb5bcb590b749476aab7939e0710e