CVE-2017-14955
published 2017-10-02CVE-2017-14955: Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain…
PriorityP343medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EXPLOIT
EPSS
12.13%
95.6th percentile
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| checkmk | checkmk | — | — |
| checkmk | checkmk | — | — |
| checkmk | checkmk | — | — |
| checkmk | checkmk | — | — |
| checkmk | checkmk | — | — |
| checkmk | checkmk | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv5.9MEDIUM
vendor_redhat5.9MEDIUM
vendor_ubuntu5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Checkmk vulnerabilities
vendor_ubuntu·2022-07-20·CVSS 5.9
CVE-2017-14955 [MEDIUM] Checkmk vulnerabilities
Title: Checkmk vulnerabilities
Summary: Several security issues were fixed in Checkmk.
USN-5527-1 fixed vulnerabilities in Checkmk. This update provides the
corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that Checkmk incorrectly handled authentication. An attacker
could possibly use this issue to cause a race condition leading to information
disclosure. (CVE-2017-14955)
It was discovered that Checkmk incorrectly handled certain inputs. An attacker
could use these cross-site scripting issues to inject arbitrary html or
javascript code to obtain sensitive information including user information,
session cookies and valid credentials. (CVE-2017-9781, CVE-2021-36563,
CVE-2021-40906, CVE-2022-24565)
Instructions: In general, a standard system update
Ubuntu
Checkmk vulnerabilities
vendor_ubuntu·2022-07-20·CVSS 5.9
CVE-2021-36563 [MEDIUM] Checkmk vulnerabilities
Title: Checkmk vulnerabilities
Summary: Several security issues were fixed in Checkmk.
It was discovered that Checkmk incorrectly handled authentication. An attacker
could possibly use this issue to cause a race condition leading to information
disclosure. (CVE-2017-14955)
It was discovered that Checkmk incorrectly handled certain inputs. An attacker
could use these cross-site scripting issues to inject arbitrary html or
javascript code to obtain sensitive information including user information,
session cookies and valid credentials. (CVE-2017-9781, CVE-2021-36563,
CVE-2021-40906, CVE-2022-24565)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
check-mk: Mishandles certain errors within the failed-login save feature because of a race condition
vendor_redhat·2017-09-25·CVSS 5.9
CVE-2017-14955 [MEDIUM] CWE-362 check-mk: Mishandles certain errors within the failed-login save feature because of a race condition
check-mk: Mishandles certain errors within the failed-login save feature because of a race condition
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report.
Statement: Red Hat Gluster Storage 3 is not affected because affected code is not shipped in the product. Affected code is present in check-mk-multisite rpm which is not shipped in this product.
Package: check-mk (Red Hat Storage 3) - Not affected
OSV
check-mk vulnerabilities
osv·2022-07-20·CVSS 5.9
CVE-2017-14955 [MEDIUM] check-mk vulnerabilities
check-mk vulnerabilities
It was discovered that Checkmk incorrectly handled authentication. An attacker
could possibly use this issue to cause a race condition leading to information
disclosure. (CVE-2017-14955)
It was discovered that Checkmk incorrectly handled certain inputs. An attacker
could use these cross-site scripting issues to inject arbitrary html or
javascript code to obtain sensitive information including user information,
session cookies and valid credentials. (CVE-2017-9781, CVE-2021-36563,
CVE-2021-40906, CVE-2022-24565)
OSV
check-mk vulnerabilities
osv·2022-07-20·CVSS 5.9
CVE-2017-14955 [MEDIUM] check-mk vulnerabilities
check-mk vulnerabilities
USN-5527-1 fixed vulnerabilities in Checkmk. This update provides the
corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that Checkmk incorrectly handled authentication. An attacker
could possibly use this issue to cause a race condition leading to information
disclosure. (CVE-2017-14955)
It was discovered that Checkmk incorrectly handled certain inputs. An attacker
could use these cross-site scripting issues to inject arbitrary html or
javascript code to obtain sensitive information including user information,
session cookies and valid credentials. (CVE-2017-9781, CVE-2021-36563,
CVE-2021-40906, CVE-2022-24565)
GHSA
GHSA-8qhg-c9h2-g6rj: Check_MK before 1
ghsa_unreviewed·2022-05-13
CVE-2017-14955 [MEDIUM] CWE-200 GHSA-8qhg-c9h2-g6rj: Check_MK before 1
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report.
OSV
CVE-2017-14955: Check_MK before 1
osv·2017-10-02·CVSS 5.9
CVE-2017-14955 [MEDIUM] CVE-2017-14955: Check_MK before 1
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report.
No detection rules found.
Bugzilla
CVE-2017-14955 check-mk: Mishandles certain errors within the failed-login save feature because of a race condition [fedora-all]
bugzilla·2017-10-03·CVSS 5.9
CVE-2017-14955 [MEDIUM] CVE-2017-14955 check-mk: Mishandles certain errors within the failed-login save feature because of a race condition [fedora-all]
CVE-2017-14955 check-mk: Mishandles certain errors within the failed-login save feature because of a race condition [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
N
Bugzilla
CVE-2017-14955 check-mk: Mishandles certain errors within the failed-login save feature because of a race condition [epel-all]
bugzilla·2017-10-03·CVSS 5.9
CVE-2017-14955 [MEDIUM] CVE-2017-14955 check-mk: Mishandles certain errors within the failed-login save feature because of a race condition [epel-all]
CVE-2017-14955 check-mk: Mishandles certain errors within the failed-login save feature because of a race condition [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE:
Bugzilla
CVE-2017-14955 check-mk: Mishandles certain errors within the failed-login save feature because of a race condition
bugzilla·2017-10-03·CVSS 5.9
CVE-2017-14955 [MEDIUM] CVE-2017-14955 check-mk: Mishandles certain errors within the failed-login save feature because of a race condition
CVE-2017-14955 check-mk: Mishandles certain errors within the failed-login save feature because of a race condition
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report.
External References:
https://mathias-kettner.de/check_mk_werks.php?werk_id=5208
Discussion:
Created check-mk tracking bugs for this issue:
Affects: epel-all [bug 1497972]
Affects: fedora-all [bug 1497973]
---
Upstream Fix:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=patch;h=a4a2cc1f30ff6032899ca80eed29fa26b8898c54
---
Statement:
Red Hat Gluster Storage 3 is not affected because affected code is not shipped in the product. Affected code is presen
http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yeshttps://www.exploit-db.com/exploits/43021/http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yeshttps://www.exploit-db.com/exploits/43021/
2017-10-02
Published