Branch: refs/heads/2.1.0
Home:
https://github.com/Checkmk/checkmk
Commit: 2961f0962585012eff18ef804d87535bd3c821c3
https://github.com/Checkmk/checkmk/commit/2961f0962585012eff18ef804d87535bd…
Author: Maximilian Wirtz <maximilian.wirtz(a)checkmk.com>
Date: 2024-07-22 (Mon, 22 Jul 2024)
Changed paths:
A .werks/17013
M cmk/base/notify.py
M cmk/utils/notify.py
M tests/unit/cmk/utils/test_notify_utils.py
Log Message:
-----------
17013 SEC Livestatus injection in mknotifyd
Before this Werk a malicious notification sent via mknotifyd could allow an attacker to
send arbitrary livestatus commands.
With this Werk livestatus escaping was added to the relevant functions.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 6.5 Medium
(`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L`) and assigned `CVE-2024-6542`.
CMK-18068
Change-Id: I33fced967298b208fed08a6d0b4dcc2ceb126c6b
To unsubscribe from these emails, change your notification settings at
https://github.com/Checkmk/checkmk/settings/notifications