Tribe29 Checkmk
17 CVEs affecting Tribe29 Checkmk. Latest disclosed: 2023-06-26. Critical: 1, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-46836 | Critical | 9.1 | 2023-02-20 | PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to in… |
CVE-2022-46302 | High | 8.8 | 2023-04-20 | Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe… |
CVE-2022-43440 | High | 8.8 | 2023-02-09 | Uncontrolled Search Path Element in Checkmk Agent in Tribe29 Checkmk before 2.1.0p1, before 2.0.0p25 and before 1.6.0p29 on a Checkmk server allows the site us… |
CVE-2022-46303 | High | 8.0 | 2023-02-20 | Command injection in SMS notifications in Tribe29 Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker with User Management per… |
CVE-2023-22288 | Medium | 6.8 | 2023-03-20 | HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML int… |
CVE-2022-48321 | Medium | 6.8 | 2023-02-20 | Limited Server-Side Request Forgery (SSRF) in agent-receiver in Tribe29's Checkmk <= 2.1.0p11 allows an attacker to communicate with local network restricted e… |
CVE-2022-47909 | Medium | 6.8 | 2023-02-20 | Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk… |
CVE-2023-0284 | Medium | 6.8 | 2023-01-24 | Improper Input Validation of LDAP user IDs in Tribe29 Checkmk allows attackers that can control LDAP user IDs to manipulate files on the server. Checkmk <= 2.1… |
CVE-2022-48319 | Medium | 6.5 | 2023-02-20 | Sensitive host secret disclosed in cmk-update-agent.log file in Tribe29's Checkmk <= 2.1.0p13, Checkmk <= 2.0.0p29, and all versions of Checkmk 1.6.0 (EOL) all… |
CVE-2022-48317 | Medium | 5.6 | 2023-02-20 | Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired sess… |
CVE-2022-48320 | Medium | 5.4 | 2023-02-20 | Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new v… |
CVE-2022-48318 | Medium | 5.3 | 2023-02-20 | No authorisation controls in the RestAPI documentation for Tribe29's Checkmk <= 2.1.0p13 and Checkmk <= 2.0.0p29 which may lead to unintended information discl… |
CVE-2023-31207 | Medium | 4.4 | 2023-05-02 | Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be wri… |
CVE-2023-22359 | Medium | 4.3 | 2023-06-26 | User enumeration in Checkmk <=2.2.0p4 allows an authenticated attacker to enumerate usernames. |
CVE-2023-2020 | Medium | 4.3 | 2023-04-18 | Insufficient permission checks in the REST API in Tribe29 Checkmk <= 2.1.0p27 and <= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host. |
CVE-2023-1768 | Low | 3.7 | 2023-04-04 | Inappropriate error handling in Tribe29 Checkmk <= 2.1.0p25, <= 2.0.0p34, <= 2.2.0b3 (beta), and all versions of Checkmk 1.6.0 causes the symmetric encryption… |
CVE-2022-4884 | Low | 3.5 | 2023-01-09 | Path-Traversal in MKP storing in Tribe29 Checkmk <=2.0.0p32 and <= 2.1.0p18 allows an administrator to write mkp files to arbitrary locations via a malicious m… |