Livestatus injection in availability timeline
CVE-2023-6156

8.8HIGH

Key Information:

Vendor: Checkmk GmbH
Status: Checkmk
Vendor: CVE Published:; 22 November 2023

🔔 Create Checkmk GmbH Vulnerability Alert

What is CVE-2023-6156?

A vulnerability exists in Checkmk due to improper neutralization of livestatus command delimiters in the availability timeline. This flaw allows authorized users to execute arbitrary livestatus commands within Checkmk versions 2.0.0p39 and below, as well as earlier releases of versions 2.1.0 and 2.2.0. This could potentially lead to unauthorized access and manipulation of the monitoring tool's functionality.

Affected Version(s)

Checkmk 2.2.0 < 2.2.0p15

Checkmk 2.1.0 < 2.1.0p37

Checkmk 2.0.0 <= 2.0.0p39

References

https://checkmk.com/werk/16221

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 22, 2023
Vulnerability Reserved
Nov 15, 2023