[checkmk-commits] [tribe29/checkmk] 52a8a0: 15065 SEC Path-Traversal in MKP storing

Branch: refs/heads/master Home: https://github.com/tribe29/checkmk Commit: 52a8a08484a45fc81cdf9049d13e0e42e82cf834 https://github.com/tribe29/checkmk/commit/52a8a08484a45fc81cdf9049d13e0e42e… Author: Maximilian Wirtz &lt;maximilian.wirtz(a)tribe29.com&gt; Date: 2023-01-10 (Tue, 10 Jan 2023) Changed paths: A .werks/15065 M cmk/utils/packaging/_type_defs.py Log Message: ----------- 15065 SEC Path-Traversal in MKP storing Previous to this Werk it was possible that an authenticated user with admin rights uploads a malicious MKP leading to a file creation with an attacker controlled path. We thank Niko Wenselowsk (SVA) for reporting this issue. <b>Affected versions are:</b> LI: 2.0.0 previous to this Werk LI: 2.1.0 previous to this Werk LI: 1.6.0 is not affected <b>Detection possibilities:</b> A audit log is written when an extension package is uploaded. You can look for a entry with <tt>Uploaded extension package</tt> follwed by a package name and version containing sequences of <tt>../</tt>. <b>Vulnerability Management:</b> We have rated the issue with a CVSS Score of 3.5 (low) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L. We assigned CVE-2022-4884 to this vulnerability. FEED-7598 Change-Id: I80f9e0047546a609e4d12aba30b353e201cfab1d Commit: b231e7bdcf6921a372a4c914e5128555e84834bb https://github.com/tribe29/checkmk/commit/b231e7bdcf6921a372a4c914e5128555e… Author: Maximilian Wirtz &lt;maximilian.wirtz(a)tribe29.com&gt; Date: 2023-01-10 (Tue, 10 Jan 2023) Changed paths: M agents/cmk-agent-ctl/Cargo.lock Log Message: ----------- Update Rust dependencies Change-Id: I2f188a1aa22558a9f4bbd74de7924b1346296bdf Compare: https://github.com/tribe29/checkmk/compare/00f720172ee3...b231e7bdcf69