Checkmk
by Checkmk
Source repositories
CVEs (117)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-6735 | 0.00 | — | 0.00 | Jan 12, 2024 | Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges | |||
| CVE-2023-31211 | 0.00 | — | 0.01 | Jan 12, 2024 | Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credentials | |||
| CVE-2023-31210 | 0.00 | — | 0.01 | Dec 13, 2023 | Usage of user controlled LD_LIBRARY_PATH in agent in Checkmk 2.2.0p10 up to 2.2.0p16 allows malicious Checkmk site user to escalate rights via injection of malicious libraries | |||
| CVE-2023-6251 | 0.00 | — | 0.00 | Nov 24, 2023 | Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, <= 2.0.0p39 allow an authenticated attacker to delete user-messages for individual users. | |||
| CVE-2023-6157 | 0.00 | — | 0.01 | Nov 22, 2023 | Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users. | |||
| CVE-2023-6156 | 0.00 | — | 0.01 | Nov 22, 2023 | Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users. | |||
| CVE-2023-23549 | 0.00 | — | 0.01 | Nov 15, 2023 | Improper Input Validation in Checkmk <2.2.0p15, <2.1.0p37, <=2.0.0p39 allows priviledged attackers to cause partial denial of service of the UI via too long hostnames. | |||
| CVE-2023-31209 | 0.00 | — | 0.01 | Aug 10, 2023 | Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0p4 leads to arbitrary command execution for authenticated users. | |||
| CVE-2023-23548 | 0.00 | — | 0.00 | Aug 1, 2023 | Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30. | |||
| CVE-2023-22359 | 0.00 | — | 0.01 | Jun 26, 2023 | User enumeration in Checkmk <=2.2.0p4 allows an authenticated attacker to enumerate usernames. | |||
| CVE-2023-22348 | 0.00 | — | 0.01 | May 17, 2023 | Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows remote authenticated users to read arbitrary host_configs. | |||
| CVE-2023-31208 | 0.00 | — | 0.01 | May 17, 2023 | Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users. | |||
| CVE-2023-31207 | 0.00 | — | 0.00 | May 2, 2023 | Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log. | |||
| CVE-2022-46302 | 0.00 | — | 0.00 | Apr 20, 2023 | Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform… | |||
| CVE-2023-2020 | 0.00 | — | 0.00 | Apr 18, 2023 | Insufficient permission checks in the REST API in Tribe29 Checkmk <= 2.1.0p27 and <= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host. | |||
| CVE-2023-1768 | 0.00 | — | 0.01 | Apr 4, 2023 | Inappropriate error handling in Tribe29 Checkmk <= 2.1.0p25, <= 2.0.0p34, <= 2.2.0b3 (beta), and all versions of Checkmk 1.6.0 causes the symmetric encryption of agent data to fail silently and transmit the data in plaintext in certain configurations. | |||
| CVE-2023-22288 | 0.00 | — | 0.00 | Mar 20, 2023 | HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails | |||
| CVE-2022-48320 | 0.00 | — | 0.00 | Feb 20, 2023 | Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages. | |||
| CVE-2022-48319 | 0.00 | — | 0.00 | Feb 20, 2023 | Sensitive host secret disclosed in cmk-update-agent.log file in Tribe29's Checkmk <= 2.1.0p13, Checkmk <= 2.0.0p29, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to gain access to the host secret through the unprotected agent updater log file. | |||
| CVE-2022-48318 | 0.00 | — | 0.00 | Feb 20, 2023 | No authorisation controls in the RestAPI documentation for Tribe29's Checkmk <= 2.1.0p13 and Checkmk <= 2.0.0p29 which may lead to unintended information disclosure through automatically generated user specific tags within Rest API documentation. |
- CVE-2023-6735Jan 12, 2024risk 0.00cvss —epss 0.00
Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges
- CVE-2023-31211Jan 12, 2024risk 0.00cvss —epss 0.01
Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credentials
- CVE-2023-31210Dec 13, 2023risk 0.00cvss —epss 0.01
Usage of user controlled LD_LIBRARY_PATH in agent in Checkmk 2.2.0p10 up to 2.2.0p16 allows malicious Checkmk site user to escalate rights via injection of malicious libraries
- CVE-2023-6251Nov 24, 2023risk 0.00cvss —epss 0.00
Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, <= 2.0.0p39 allow an authenticated attacker to delete user-messages for individual users.
- CVE-2023-6157Nov 22, 2023risk 0.00cvss —epss 0.01
Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.
- CVE-2023-6156Nov 22, 2023risk 0.00cvss —epss 0.01
Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.
- CVE-2023-23549Nov 15, 2023risk 0.00cvss —epss 0.01
Improper Input Validation in Checkmk <2.2.0p15, <2.1.0p37, <=2.0.0p39 allows priviledged attackers to cause partial denial of service of the UI via too long hostnames.
- CVE-2023-31209Aug 10, 2023risk 0.00cvss —epss 0.01
Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0p4 leads to arbitrary command execution for authenticated users.
- CVE-2023-23548Aug 1, 2023risk 0.00cvss —epss 0.00
Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30.
- CVE-2023-22359Jun 26, 2023risk 0.00cvss —epss 0.01
User enumeration in Checkmk <=2.2.0p4 allows an authenticated attacker to enumerate usernames.
- CVE-2023-22348May 17, 2023risk 0.00cvss —epss 0.01
Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows remote authenticated users to read arbitrary host_configs.
- CVE-2023-31208May 17, 2023risk 0.00cvss —epss 0.01
Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users.
- CVE-2023-31207May 2, 2023risk 0.00cvss —epss 0.00
Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log.
- CVE-2022-46302Apr 20, 2023risk 0.00cvss —epss 0.00
Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform…
- CVE-2023-2020Apr 18, 2023risk 0.00cvss —epss 0.00
Insufficient permission checks in the REST API in Tribe29 Checkmk <= 2.1.0p27 and <= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host.
- CVE-2023-1768Apr 4, 2023risk 0.00cvss —epss 0.01
Inappropriate error handling in Tribe29 Checkmk <= 2.1.0p25, <= 2.0.0p34, <= 2.2.0b3 (beta), and all versions of Checkmk 1.6.0 causes the symmetric encryption of agent data to fail silently and transmit the data in plaintext in certain configurations.
- CVE-2023-22288Mar 20, 2023risk 0.00cvss —epss 0.00
HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails
- CVE-2022-48320Feb 20, 2023risk 0.00cvss —epss 0.00
Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages.
- CVE-2022-48319Feb 20, 2023risk 0.00cvss —epss 0.00
Sensitive host secret disclosed in cmk-update-agent.log file in Tribe29's Checkmk <= 2.1.0p13, Checkmk <= 2.0.0p29, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to gain access to the host secret through the unprotected agent updater log file.
- CVE-2022-48318Feb 20, 2023risk 0.00cvss —epss 0.00
No authorisation controls in the RestAPI documentation for Tribe29's Checkmk <= 2.1.0p13 and Checkmk <= 2.0.0p29 which may lead to unintended information disclosure through automatically generated user specific tags within Rest API documentation.
Page 5 of 6