CVE-2021-40904

Published: Mar 25, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.

Affected (1)

Products: Checkmk: Checkmk

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Checkmk Checkmk	From 1.5.0 to 1.6.0

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (4)

http://checkmk.com

Source: cve@mitre.org

Product

https://github.com/Edgarloyola/CVE-2021-40904

Source: cve@mitre.org

ExploitPatchThird Party Advisory

http://checkmk.com

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://github.com/Edgarloyola/CVE-2021-40904

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.