Primary

Context

Checkmk Session Logout Vulnerability Allowing Logout Circumvention

Vulnerability

Patched

A vulnerability exists in Checkmk versions prior to 2.3.0p30, prior to 2.2.0p41, and 2.1.0p49 (EOL), allowing an authenticated user to overwrite session logout states. This issue arises because session information is loaded from disk at the beginning of a request and written back at the end. If a request takes longer and the session is logged out in the meantime, the request can inadvertently restore the session, bypassing the logout. Although sessions have a maximum lifetime of 24 hours, this vulnerability could be exploited to extend session duration by manipulating logout states.

Impact

Exploitation of this vulnerability allows an authenticated user to bypass session logout, potentially leading to unauthorized access or actions within the application.

Remediation

Users are advised to update to Checkmk versions 2.3.0p30, 2.2.0p41, or 2.5.0b1. If an immediate update is not possible, consider reducing the maximum session duration.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.3

exploitability

4.8

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.3

exploitability

4.8

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Checkmk Session Logout Vulnerability Allowing Logout Circumvention

Vulnerability

Impact

Remediation

Affected Products

Checkmk

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating