by Checkmk security werks and security announcements
[//]: # (werk v2)
# CSRF token leaked in URL parameters (CVE-2024-38863)
key | value
---------- | ---
date | 2024-10-07T05:48:40+00:00
version | 2.3.0p18
class | security
edition | cre
component | wato
level | 1
compatible | yes
Before this Werk, the CSRF token was mistakenly included as a query parameter in certain URLs when navigating Checkmk, which could result in the token being saved in bookmarks.
This increased the risk of unintentional exposure, such as when sharing bookmarks with other users.
The issue has been resolved.
While storing or unintentionally exposing the token doesn't present an immediate security threat, it could potentially enable phishing attacks targeting the specific user for the duration of the token's validity.
In Checkmk, CSRF tokens remain valid for the session's duration (configured under Global settings > Session management).
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
*Mitigations*:
Avoid sharing or exposing URLs that contain the query parameter `csrf_token=`.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 2.0 Low (`CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L`) and assigned `CVE-2024-38863`.
by Checkmk security werks and security announcements
[//]: # (werk v2)
# Sanitize Host and Folder Credentials in Audit Log
key | value
---------- | ---
date | 2024-10-07T05:57:04+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | no
Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or folder's properties would log those credentials in the WATO audit log. Now, credentials are masked before being written to the log.
The affected logs, both via the rendering functionality in WATO as well as the files on the file system, are only accessible to authenticated users.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Recommendations*:
We have marked this Werk incompatible because we recommend taking manual action:
Consider rotating affected credentials.
If that is not feasible, consider sanitizing the log files.
Also take into account that log files containing credentials might have been written to backups.
The affected log files can be found in `~/var/check_mk/wato/log`.
Note that entries in the files are not separated by newlines, but by null bytes, so they will appear as one long line.
Entries that might contain credentials are all entries where the `'action'` is `'edit-folder'` or `'edit-host'`, and the `'diff_text'` contains any of the following strings:
* `Attribute "snmp_community"`
* `Value of "snmp_community"`
* `Attribute "management_snmp_community"`
* `Value of "management_snmp_community"`
* `Attribute "management_ipmi_credentials"`
* `Value of "management_ipmi_credentials"`
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.1 Medium (`CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N`) and assigned `CVE-2024-38862`.
by Checkmk security werks and security announcements
[//]: # (werk v2)
# CSRF token leaked in URL parameters (CVE-2024-38863)
key | value
---------- | ---
date | 2024-10-07T05:48:40+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | yes
Before this Werk, the CSRF token was mistakenly included as a query parameter in certain URLs when navigating Checkmk, which could result in the token being saved in bookmarks.
This increased the risk of unintentional exposure, such as when sharing bookmarks with other users.
The issue has been resolved.
While storing or unintentionally exposing the token doesn't present an immediate security threat, it could potentially enable phishing attacks targeting the specific user for the duration of the token's validity.
In Checkmk, CSRF tokens remain valid for the session's duration (configured under Global settings > Session management).
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
*Mitigations*:
Avoid sharing or exposing URLs that contain the query parameter `csrf_token=`.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 2.0 Low (`CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L`) and assigned `CVE-2024-38863`.
by Checkmk security werks and security announcements
[//]: # (werk v2)
# Information leak in mknotifyd
key | value
---------- | ---
date | 2024-07-15T11:23:40+00:00
version | 2.3.0p18
class | security
edition | cee
component | notifications
level | 1
compatible | yes
When a notification context is sent to mknotifyd a "result message" is generated by mknotifyd and sent back so the original site so it can show if there were problems handling that notification.
This result message could contain secrets that were not meant to be sent to remote sites, e.g. passwords/secrets.
These secrets were not processed by the remote site but a rough site would have been able to retrieve these.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.3 Medium (`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`) and assigned `CVE-2024-6747`.