CVE-2024-28826

Summary

Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server.

Affected Software

VendorProductVersion RangeStatus
Checkmk GmbHCheckmk2.3.0 < 2.3.0p4affected
Checkmk GmbHCheckmk2.2.0 < 2.2.0p27affected
Checkmk GmbHCheckmk2.1.0 < 2.1.0p44affected
Checkmk GmbHCheckmk2.0.0 <= 2.0.0p39affected

Weaknesses

  • CWE-73: CWE-73: External Control of File Name or Path

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References