Vulnerabilities > Checkmk > High

DATE CVE VULNERABILITY TITLE RISK
2023-05-17 CVE-2023-31208 Command Injection vulnerability in multiple products
Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users.
network
low complexity
tribe29 checkmk CWE-77
8.8
2023-04-20 CVE-2022-46302 Inclusion of Functionality from Untrusted Control Sphere vulnerability in Checkmk 1.6.0/2.0.0
Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform remote code execution with root privileges on the underlying host.
local
low complexity
checkmk CWE-829
8.8
2023-02-20 CVE-2022-46303 OS Command Injection vulnerability in Checkmk 2.0.0/2.1.0
Command injection in SMS notifications in Tribe29 Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker with User Management permissions, as well as LDAP administrators in certain scenarios, to perform arbitrary commands within the context of the application's local permissions.
network
high complexity
checkmk CWE-78
7.5
2023-02-20 CVE-2022-46836 Code Injection vulnerability in Checkmk 2.0.0/2.1.0
PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component.
network
low complexity
checkmk CWE-94
8.8
2023-02-20 CVE-2022-47909 Unspecified vulnerability in Checkmk 2.0.0/2.1.0
Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost.
local
low complexity
checkmk
7.8
2023-02-09 CVE-2022-43440 Uncontrolled Search Path Element vulnerability in Checkmk
Uncontrolled Search Path Element in Checkmk Agent in Tribe29 Checkmk before 2.1.0p1, before 2.0.0p25 and before 1.6.0p29 on a Checkmk server allows the site user to escalate privileges via a manipulated unixcat executable
local
low complexity
checkmk CWE-427
7.8
2023-01-26 CVE-2023-0284 Improper Input Validation vulnerability in multiple products
Improper Input Validation of LDAP user IDs in Tribe29 Checkmk allows attackers that can control LDAP user IDs to manipulate files on the server.
network
low complexity
tribe29 checkmk CWE-20
8.1
2022-06-17 CVE-2022-33912 Incorrect Default Permissions vulnerability in multiple products
A permission issue affects users that deployed the shipped version of the Checkmk Debian package.
local
low complexity
tribe29 checkmk CWE-276
7.8
2022-03-25 CVE-2021-40904 Incorrect Default Permissions vulnerability in Checkmk 1.5.0
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code.
network
low complexity
checkmk CWE-276
8.8
2022-03-25 CVE-2021-40905 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible.
network
low complexity
tribe29 checkmk CWE-434
8.8