Checkmk
by Checkmk
Source repositories
CVEs (117)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-6542 | 0.00 | — | 0.00 | Jul 22, 2024 | Improper neutralization of livestatus command delimiters in mknotifyd in Checkmk <= 2.0.0p39, < 2.1.0p47, < 2.2.0p32 and < 2.3.0p11 allows arbitrary livestatus command execution. | |||
| CVE-2024-28828 | 0.00 | — | 0.00 | Jul 10, 2024 | Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click compromize of the site. | |||
| CVE-2024-28827 | 0.00 | — | 0.00 | Jul 10, 2024 | Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) allows a local attacker to gain SYSTEM privileges. | |||
| CVE-2024-6163 | 0.00 | — | 0.01 | Jul 8, 2024 | Certain http endpoints of Checkmk in Checkmk < 2.3.0p10 < 2.2.0p31, < 2.1.0p46, <= 2.0.0p39 allows remote attacker to bypass authentication and access data | |||
| CVE-2024-6052 | 0.00 | — | 0.00 | Jul 3, 2024 | Stored XSS in Checkmk before versions 2.3.0p8, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to execute arbitrary scripts by injecting HTML elements | |||
| CVE-2024-38857 | 0.00 | — | 0.00 | Jul 2, 2024 | Improper neutralization of input in Checkmk before versions 2.3.0p8, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows attackers to craft malicious links that can facilitate phishing attacks. | |||
| CVE-2024-28830 | 0.00 | — | 0.00 | Jun 26, 2024 | Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p7, <2.2.0p28, <2.1.0p45 and <=2.0.0p39 (EOL) causes automation user secrets to be written to audit log files accessible to administrators. | |||
| CVE-2024-28832 | 0.00 | — | 0.00 | Jun 25, 2024 | Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings. | |||
| CVE-2024-28831 | 0.00 | — | 0.00 | Jun 25, 2024 | Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Checkmk users to execute arbitrary scripts by injecting HTML elements into some user input fields that are shown in a confirmation pop-up. | |||
| CVE-2024-5741 | 0.00 | — | 0.00 | Jun 17, 2024 | Stored XSS in inventory tree rendering in Checkmk before 2.3.0p7, 2.2.0p28, 2.1.0p45 and 2.0.0 (EOL) | |||
| CVE-2024-28833 | 0.00 | — | 0.00 | Jun 10, 2024 | Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms. | |||
| CVE-2024-28826 | 0.00 | — | 0.00 | May 29, 2024 | Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server. | |||
| CVE-2024-28825 | 0.00 | — | 0.01 | Apr 24, 2024 | Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta), 2.2.0p26, 2.1.0p43, and in Checkmk 2.0.0 (EOL) facilitates password brute-forcing. | |||
| CVE-2024-3367 | 0.00 | — | 0.00 | Apr 16, 2024 | Argument injection in websphere_mq agent plugin in Checkmk 2.0.0, 2.1.0, <2.2.0p26 and <2.3.0b5 allows local attacker to inject one argument to runmqsc | |||
| CVE-2024-2380 | 0.00 | — | 0.00 | Apr 5, 2024 | Stored XSS in graph rendering in Checkmk <2.3.0b4. | |||
| CVE-2024-28824 | 0.00 | — | 0.00 | Mar 22, 2024 | Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges. | |||
| CVE-2024-1742 | 0.00 | — | 0.00 | Mar 22, 2024 | Invocation of the sqlplus command with sensitive information in the command line in the mk_oracle Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows the extraction of this information from the process list. | |||
| CVE-2024-0638 | 0.00 | — | 0.00 | Mar 22, 2024 | Least privilege violation in the Checkmk agent plugins mk_oracle, mk_oracle.ps1, and mk_oracle_crs before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges. | |||
| CVE-2024-0670 | 0.00 | — | 0.00 | Mar 11, 2024 | Privilege escalation in windows agent plugin in Checkmk before 2.2.0p23, 2.1.0p40 and 2.0.0 (EOL) allows local user to escalate privileges | |||
| CVE-2023-6740 | 0.00 | — | 0.00 | Jan 12, 2024 | Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges |
- CVE-2024-6542Jul 22, 2024risk 0.00cvss —epss 0.00
Improper neutralization of livestatus command delimiters in mknotifyd in Checkmk <= 2.0.0p39, < 2.1.0p47, < 2.2.0p32 and < 2.3.0p11 allows arbitrary livestatus command execution.
- CVE-2024-28828Jul 10, 2024risk 0.00cvss —epss 0.00
Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click compromize of the site.
- CVE-2024-28827Jul 10, 2024risk 0.00cvss —epss 0.00
Incorrect permissions on the Checkmk Windows Agent's data directory in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) allows a local attacker to gain SYSTEM privileges.
- CVE-2024-6163Jul 8, 2024risk 0.00cvss —epss 0.01
Certain http endpoints of Checkmk in Checkmk < 2.3.0p10 < 2.2.0p31, < 2.1.0p46, <= 2.0.0p39 allows remote attacker to bypass authentication and access data
- CVE-2024-6052Jul 3, 2024risk 0.00cvss —epss 0.00
Stored XSS in Checkmk before versions 2.3.0p8, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to execute arbitrary scripts by injecting HTML elements
- CVE-2024-38857Jul 2, 2024risk 0.00cvss —epss 0.00
Improper neutralization of input in Checkmk before versions 2.3.0p8, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows attackers to craft malicious links that can facilitate phishing attacks.
- CVE-2024-28830Jun 26, 2024risk 0.00cvss —epss 0.00
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p7, <2.2.0p28, <2.1.0p45 and <=2.0.0p39 (EOL) causes automation user secrets to be written to audit log files accessible to administrators.
- CVE-2024-28832Jun 25, 2024risk 0.00cvss —epss 0.00
Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings.
- CVE-2024-28831Jun 25, 2024risk 0.00cvss —epss 0.00
Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Checkmk users to execute arbitrary scripts by injecting HTML elements into some user input fields that are shown in a confirmation pop-up.
- CVE-2024-5741Jun 17, 2024risk 0.00cvss —epss 0.00
Stored XSS in inventory tree rendering in Checkmk before 2.3.0p7, 2.2.0p28, 2.1.0p45 and 2.0.0 (EOL)
- CVE-2024-28833Jun 10, 2024risk 0.00cvss —epss 0.00
Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms.
- CVE-2024-28826May 29, 2024risk 0.00cvss —epss 0.00
Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server.
- CVE-2024-28825Apr 24, 2024risk 0.00cvss —epss 0.01
Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta), 2.2.0p26, 2.1.0p43, and in Checkmk 2.0.0 (EOL) facilitates password brute-forcing.
- CVE-2024-3367Apr 16, 2024risk 0.00cvss —epss 0.00
Argument injection in websphere_mq agent plugin in Checkmk 2.0.0, 2.1.0, <2.2.0p26 and <2.3.0b5 allows local attacker to inject one argument to runmqsc
- CVE-2024-2380Apr 5, 2024risk 0.00cvss —epss 0.00
Stored XSS in graph rendering in Checkmk <2.3.0b4.
- CVE-2024-28824Mar 22, 2024risk 0.00cvss —epss 0.00
Least privilege violation and reliance on untrusted inputs in the mk_informix Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.
- CVE-2024-1742Mar 22, 2024risk 0.00cvss —epss 0.00
Invocation of the sqlplus command with sensitive information in the command line in the mk_oracle Checkmk agent plugin before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows the extraction of this information from the process list.
- CVE-2024-0638Mar 22, 2024risk 0.00cvss —epss 0.00
Least privilege violation in the Checkmk agent plugins mk_oracle, mk_oracle.ps1, and mk_oracle_crs before Checkmk 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL) allows local users to escalate privileges.
- CVE-2024-0670Mar 11, 2024risk 0.00cvss —epss 0.00
Privilege escalation in windows agent plugin in Checkmk before 2.2.0p23, 2.1.0p40 and 2.0.0 (EOL) allows local user to escalate privileges
- CVE-2023-6740Jan 12, 2024risk 0.00cvss —epss 0.00
Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges
Page 4 of 6