Module: check_mk
Branch: master
Commit: cb1a576289ad7cd96e142b0376a45d6eaaf09a10
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=cb1a576289ad7c…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Oct 18 09:23:19 2018 +0200
6787 SEC Notification spooler: Fixed file path traversal vulnerability
The notification daemon of one site connects to the notification daemon of another site
to exchange notifications between both sites.
The notification daemon was not validating the incoming data correctly which made it
possible
for an attacker that has access to the notification sending site to compromise the
receiving
site.
Using this vulnerability it was possible to write write files in directories that are
writable
by the receiving site user. This could be used to gain access to the site.
CMK-1157
Change-Id: I20cc050a096e3f93827741a9d162c509d575e6fe
---
.werks/6787 | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/.werks/6787 b/.werks/6787
new file mode 100644
index 0000000..52107b8
--- /dev/null
+++ b/.werks/6787
@@ -0,0 +1,19 @@
+Title: Notification spooler: Fixed file path traversal vulnerability
+Level: 2
+Component: notifications
+Class: security
+Compatible: compat
+Edition: cee
+State: unknown
+Version: 1.6.0i1
+Date: 1539847243
+
+The notification daemon of one site connects to the notification daemon of another site
+to exchange notifications between both sites.
+
+The notification daemon was not validating the incoming data correctly which made it
possible
+for an attacker that has access to the notification sending site to compromise the
receiving
+site.
+
+Using this vulnerability it was possible to write write files in directories that are
writable
+by the receiving site user. This could be used to gain access to the site.