Branch: refs/heads/2.3.0
Home:
https://github.com/Checkmk/checkmk
Commit: 3f9a6629867cd7bd57fdf63bb29d16e266b2d866
https://github.com/Checkmk/checkmk/commit/3f9a6629867cd7bd57fdf63bb29d16e26…
Author: Maximilian Wirtz <maximilian.wirtz(a)checkmk.com>
Date: 2024-07-16 (Tue, 16 Jul 2024)
Changed paths:
A .werks/17013.md
M cmk/utils/notify.py
M tests/unit/cmk/utils/test_notify_utils.py
Log Message:
-----------
17013 SEC Livestatus injection in mknotifyd
Before this Werk a malicious notification sent via mknotifyd could allow an attacker to
send arbitrary livestatus commands.
With this Werk livestatus escaping was added to the relevant functions.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 6.5 Medium
(`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L`) and assigned `CVE-2024-6542`.
CMK-18068
Change-Id: I33fced967298b208fed08a6d0b4dcc2ceb126c6b
To unsubscribe from these emails, change your notification settings at
https://github.com/Checkmk/checkmk/settings/notifications