Checkmk Password Deletion Vulnerability in REST API Allows Unintended Data Loss

A logic error has been identified in the password management functionality of Checkmk versions prior to 2.4.0p23, prior to 2.3.0p43, and 2.2.0 (EOL). This vulnerability allows low-privileged users to unintentionally delete passwords, leading to data loss. The issue arises when users delete their own passwords via the Quick Setup UI or the REST API, which inadvertently removes all passwords associated with contact groups outside the user's membership. This behavior disrupts services that rely on those credentials.

Impact

Exploitation of this vulnerability causes unauthorized deletion of password entries, leading to potential disruption of services that depend on those passwords for authentication or authorization.

Remediation

Users are advised to restrict the 'Password management' permission to administrators only, until the fix is applied. The vulnerability has been addressed in Checkmk versions 2.4.0p23, 2.3.0p43, and 2.6.0b1.