Vulnerabilities > Checkmk
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-17 | CVE-2023-22348 | Improper Authorization in RestAPI in Checkmk GmbH's Checkmk versions <2.1.0p28 and <2.2.0b8 allows remote authenticated users to read arbitrary host_configs. | 4.3 |
| 2023-05-17 | CVE-2023-31208 | Command Injection vulnerability in multiple products Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users. | 8.8 |
| 2023-05-02 | CVE-2023-31207 | Information Exposure Through Log Files vulnerability in Checkmk 2.0.0/2.1.0 Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log. | 5.5 |
| 2023-04-20 | CVE-2022-46302 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Checkmk 1.6.0/2.0.0 Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform remote code execution with root privileges on the underlying host. | 8.8 |
| 2023-04-18 | CVE-2023-2020 | Incorrect Authorization vulnerability in Checkmk 2.1.0/2.2.0 Insufficient permission checks in the REST API in Tribe29 Checkmk <= 2.1.0p27 and <= 2.2.0b4 (beta) allow unauthorized users to schedule downtimes for any host. | 4.3 |
| 2023-04-04 | CVE-2023-1768 | Inappropriate error handling in Tribe29 Checkmk <= 2.1.0p25, <= 2.0.0p34, <= 2.2.0b3 (beta), and all versions of Checkmk 1.6.0 causes the symmetric encryption of agent data to fail silently and transmit the data in plaintext in certain configurations. | 5.3 |
| 2023-03-20 | CVE-2023-22288 | Cross-site Scripting vulnerability in multiple products HTML Email Injection in Tribe29 Checkmk <=2.1.0p23; <=2.0.0p34, and all versions of Checkmk 1.6.0 allows an authenticated attacker to inject malicious HTML into Emails | 5.4 |
| 2023-02-20 | CVE-2022-46303 | OS Command Injection vulnerability in Checkmk 2.0.0/2.1.0 Command injection in SMS notifications in Tribe29 Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker with User Management permissions, as well as LDAP administrators in certain scenarios, to perform arbitrary commands within the context of the application's local permissions. | 7.5 |
| 2023-02-20 | CVE-2022-46836 | Code Injection vulnerability in Checkmk 2.0.0/2.1.0 PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component. | 8.8 |
| 2023-02-20 | CVE-2022-47909 | Unspecified vulnerability in Checkmk 2.0.0/2.1.0 Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost. | 7.8 |