Branch: refs/heads/master
Home:
https://github.com/tribe29/checkmk
Commit: 52a8a08484a45fc81cdf9049d13e0e42e82cf834
https://github.com/tribe29/checkmk/commit/52a8a08484a45fc81cdf9049d13e0e42e…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2023-01-10 (Tue, 10 Jan 2023)
Changed paths:
A .werks/15065
M cmk/utils/packaging/_type_defs.py
Log Message:
-----------
15065 SEC Path-Traversal in MKP storing
Previous to this Werk it was possible that an authenticated user with admin rights uploads
a malicious MKP leading to a file creation with an attacker controlled path.
We thank Niko Wenselowsk (SVA) for reporting this issue.
<b>Affected versions are:</b>
LI: 2.0.0 previous to this Werk
LI: 2.1.0 previous to this Werk
LI: 1.6.0 is not affected
<b>Detection possibilities:</b>
A audit log is written when an extension package is uploaded.
You can look for a entry with <tt>Uploaded extension package</tt> follwed by a
package name and version containing sequences of <tt>../</tt>.
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.5 (low) with the following CVSS vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L.
We assigned CVE-2022-4884 to this vulnerability.
FEED-7598
Change-Id: I80f9e0047546a609e4d12aba30b353e201cfab1d
Commit: b231e7bdcf6921a372a4c914e5128555e84834bb
https://github.com/tribe29/checkmk/commit/b231e7bdcf6921a372a4c914e5128555e…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2023-01-10 (Tue, 10 Jan 2023)
Changed paths:
M agents/cmk-agent-ctl/Cargo.lock
Log Message:
-----------
Update Rust dependencies
Change-Id: I2f188a1aa22558a9f4bbd74de7924b1346296bdf
Compare:
https://github.com/tribe29/checkmk/compare/00f720172ee3...b231e7bdcf69