Vulnerabilities > Checkmk > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-01-12 | CVE-2023-6735 | Improper Privilege Management vulnerability in multiple products Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges | 7.8 |
2024-01-12 | CVE-2023-6740 | Improper Privilege Management vulnerability in multiple products Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges | 7.8 |
2023-12-13 | CVE-2023-31210 | Uncontrolled Search Path Element vulnerability in Checkmk 2.2.0 Usage of user controlled LD_LIBRARY_PATH in agent in Checkmk 2.2.0p10 up to 2.2.0p16 allows malicious Checkmk site user to escalate rights via injection of malicious libraries | 7.8 |
2023-11-22 | CVE-2023-6156 | Unspecified vulnerability in Checkmk 2.0.0/2.1.0/2.2.0 Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users. | 8.8 |
2023-11-22 | CVE-2023-6157 | Unspecified vulnerability in Checkmk 2.0.0/2.1.0/2.2.0 Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users. | 8.8 |
2023-08-10 | CVE-2023-31209 | Injection vulnerability in multiple products Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0p4 leads to arbitrary command execution for authenticated users. | 8.8 |
2023-05-17 | CVE-2023-31208 | Command Injection vulnerability in multiple products Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users. | 8.8 |
2023-04-20 | CVE-2022-46302 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Checkmk 1.6.0/2.0.0 Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform remote code execution with root privileges on the underlying host. | 8.8 |
2023-02-20 | CVE-2022-46303 | OS Command Injection vulnerability in Checkmk 2.0.0/2.1.0 Command injection in SMS notifications in Tribe29 Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker with User Management permissions, as well as LDAP administrators in certain scenarios, to perform arbitrary commands within the context of the application's local permissions. | 7.5 |
2023-02-20 | CVE-2022-46836 | Code Injection vulnerability in Checkmk 2.0.0/2.1.0 PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component. | 8.8 |