Branch: refs/heads/2.2.0
Home:
https://github.com/Checkmk/checkmk
Commit: fa615875d1123f64cecd742ed6a9e4a87584516f
https://github.com/Checkmk/checkmk/commit/fa615875d1123f64cecd742ed6a9e4a87…
Author: Maximilian Wirtz <maximilian.wirtz(a)checkmk.com>
Date: 2024-07-18 (Thu, 18 Jul 2024)
Changed paths:
A .werks/17013
M cmk/utils/notify.py
M tests/unit/cmk/utils/test_notify_utils.py
Log Message:
-----------
17013 SEC Livestatus injection in mknotifyd
Before this Werk a malicious notification sent via mknotifyd could allow an attacker to
send arbitrary livestatus commands.
With this Werk livestatus escaping was added to the relevant functions.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 6.5 Medium
(`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L`) and assigned `CVE-2024-6542`.
CMK-18068
Change-Id: I33fced967298b208fed08a6d0b4dcc2ceb126c6b
To unsubscribe from these emails, change your notification settings at
https://github.com/Checkmk/checkmk/settings/notifications