Checkmk Improper Permission Enforcement Vulnerability in WATO Users Allowing Unauthorized Access to Configuration Analysis

A vulnerability exists in Checkmk versions 2.4.0 prior to 2.4.0p21, 2.3.0 prior to 2.3.0p43, and 2.2.0 (EOL) due to improper permission enforcement. Users with the 'Use WATO' permission could bypass the 'Access analyze configuration' permission check by directly navigating to the 'Analyze configuration' page URL. If these users also had the 'Make changes, perform actions' permission, they could perform unauthorized actions such as disabling checks or acknowledging results.

Impact

Exploitation of this vulnerability allows for unauthorized access to the 'Analyze configuration' page, where users can disable checks or acknowledge results, actions they should not be permitted to perform.

Remediation

Users are advised to update to Checkmk versions 2.4.0p21 or 2.3.0p43. For those using Checkmk 2.2.0, which is end-of-life, an upgrade to a supported version is recommended. After updating, validate that all desired checks in 'Analyze configuration' are enabled and that no findings are unexpectedly acknowledged.