Werk 15200 was adapted. The following is the new Werk, a diff is shown at the end of the
message.
[//]: # (werk v2)
# Restrict check_sftp local paths
key | value
---------- | ---
date | 2024-05-16T09:48:20+00:00
version | 2.4.0b1
class | security
edition | cre
component | checks
level | 1
compatible | no
Prior to this Werk, `check_sftp` did not restrict the local paths that for files to be
uploaded and downloaded.
This allowed users with the permissions to configure `check_sftp` to read or write files
within the Checkmk site home.
The local paths are now restricted to the folder `var/check_mk/active_checks/check_sftp`
within the Checkmk site home.
As a consequence, the local paths in existing configurations will now be interpreted as
relative to that folder.
Since a test file is created if the local file to upload doesn't exist, the check will
continue to work, but it will not pick up files from the old location.
Similarly, the downloaded files will be stored in a new location.
This issue was found during internal review.
If you want a hot-fix in existing versions and are not using `check_sftp`, you can remove
the executable (`/omd/sites/[SITE_ID]/lib/nagios/plugins/check_sftp`) from your
installation.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 8.8 High with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` and assigned CVE `CVE-2024-28826`.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Restrict check_sftp local paths
key | value
---------- | ---
date | 2024-05-16T09:48:20+00:00
version | 2.4.0b1
class | security
edition | cre
component | checks
level | 1
compatible | no
Prior to this Werk, `check_sftp` did not restrict the local paths that for files to be
uploaded and downloaded.
This allowed users with the permissions to configure `check_sftp` to read or write files
within the Checkmk site home.
The local paths are now restricted to the folder `var/check_mk/active_checks/check_sftp`
within the Checkmk site home.
As a consequence, the local paths in existing configurations will now be interpreted as
relative to that folder.
Since a test file is created if the local file to upload doesn't exist, the check
will continue to work, but it will not pick up files from the old location.
Similarly, the downloaded files will be stored in a new location.
This issue was found during internal review.
+ If you want a hot-fix in existing versions and are not using `check_sftp`, you can
remove the executable (`/omd/sites/[SITE_ID]/lib/nagios/plugins/check_sftp`) from your
installation.
+
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 8.8 High with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` and assigned CVE `CVE-2024-28826`.