Checkmk REST API Quick Setup Endpoints Insufficient Permission Validation Vulnerability

A vulnerability exists in the Checkmk REST API Quick Setup endpoints in versions 2.5.0 (beta) prior to 2.5.0b2 and 2.4.0 prior to 2.4.0p25. The issue arises from inadequate permission validation, allowing low-privileged users to perform unauthorized actions or access sensitive information. Before the fix, authenticated users could interact with the Quick Setup endpoints to edit setups, check background job statuses, and execute Quick Setup actions. The lack of granular authorization checks meant that users could manipulate stage data and potentially disclose sensitive information by reading the state of background jobs.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on Quick Setup endpoints, allowing low-privileged users to edit setups, execute Quick Setup actions, and access sensitive information through background job statuses.

Remediation

Users can upgrade to Checkmk versions 2.5.0b2 or 2.4.0p26 to address this vulnerability.