Headline
CVE-2023-6157: Livestatus Injections
Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.
Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI.
We found this vulnerability internally.
Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0
Vulnerability Management: We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H. We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities.
Changes: This Werk strips the relevant parameters of newlines.
To the list of all Werks