Branch: refs/heads/2.1.0
Home:
https://github.com/tribe29/checkmk
Commit: 42a0b9b712798d263120e3ed39839d2124498628
https://github.com/tribe29/checkmk/commit/42a0b9b712798d263120e3ed39839d212…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-09-06 (Tue, 06 Sep 2022)
Changed paths:
A .werks/14485
M tests/unit/cmk/utils/test_werks.py
Log Message:
-----------
14485 SEC Fix session cookie validation on RestAPI
Before this Werk expired sessions were still valid on the RestAPI, since the
RestAPI only vaildated the Cookie signature.
An attacker who was able to steal a session cookie could use that cookie on the
RestAPI even after the session expired. Some actions though require access to
the user session, these action fail due to the expired session. Some actions do
not access the session and are therefore possible.
<b>Affected Versions</b>:
All versions with the RestAPI are affected: 2.0, and 2.1.
<b>Mitigations</b>:
Immediate mitigations are not available.
<b>Indicators of Compromise</b>:
Review Apache and web.log for suspicious logs.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 5.6 (Medium) with the following
CVSS vector:
<tt>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L</tt>.
A CVE has been requested.
This was originally fixed with 672d121c578975d93bdef56b1de9ca2c88d8786e.
Change-Id: If2114e3ce59c66163b388b7bf634181ea972a174