CVE-2024-47092 - Vulnerability Details - OpenCVE

Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

No data.

No data.

No data.

References

Link	Providers
https://exchange.checkmk.com/p/check-mk-api
https://github.com/HeinleinSupport/check_mk_extensions/commit/b5a2a7529e3367d7a643e66f05da4f2a27013904

History

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 03 Mar 2025 14:00:00 +0000

Type	Values Removed	Values Added
Description		Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1
Title		Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api
Weaknesses		CWE-502
References		https://exchange.checkmk.com/p/check-mk-api https://github.com/HeinleinSupport/check_mk_extensions/commit/b5a2a7529e3367d7a643e66f05da4f2a27013904
Metrics		cvssV4_0 `{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Checkmk

Published: 2025-03-03T13:47:18.887Z

Updated: 2025-03-04T07:53:06.307Z

Reserved: 2024-09-18T11:38:53.583Z

Link: CVE-2024-47092

Vulnrichment

Updated: 2025-03-03T14:29:38.591Z

NVD

Status : Received

Published: 2025-03-03T14:15:33.473

Modified: 2025-03-03T14:15:33.473

Link: CVE-2024-47092

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47092", "assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "state": "PUBLISHED", "assignerShortName": "Checkmk", "dateReserved": "2024-09-18T11:38:53.583Z", "datePublished": "2025-03-03T13:47:18.887Z", "dateUpdated": "2025-03-04T07:53:06.307Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://exchange.checkmk.com/packages", "defaultStatus": "unaffected", "packageName": "check-mk-api", "versions": [{"lessThanOrEqual": "5.8.0", "status": "affected", "version": "5.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Felix Eberstaller (Limes Security)"}, {"lang": "en", "type": "finder", "value": "Jakob Hartmann (Limes Security)"}], "descriptions": [{"lang": "en", "value": "Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1"}], "impacts": [{"capecId": "CAPEC-384", "descriptions": [{"lang": "en", "value": "CAPEC-384: Application API Message Manipulation via Man-in-the-Middle"}]}], "metrics": [{"cvssV4_0": {"baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "shortName": "Checkmk", "dateUpdated": "2025-03-04T07:53:06.307Z"}, "references": [{"tags": ["product"], "url": "https://exchange.checkmk.com/p/check-mk-api"}, {"tags": ["patch"], "url": "https://github.com/HeinleinSupport/check_mk_extensions/commit/b5a2a7529e3367d7a643e66f05da4f2a27013904"}], "source": {"discovery": "EXTERNAL"}, "title": "Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-03T14:29:34.498519Z", "id": "CVE-2024-47092", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T14:29:46.756Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47092", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-03T14:29:34.498519Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T14:29:38.591Z"}}], "cna": {"title": "Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Felix Eberstaller (Limes Security)"}, {"lang": "en", "type": "finder", "value": "Jakob Hartmann (Limes Security)"}], "impacts": [{"capecId": "CAPEC-384", "descriptions": [{"lang": "en", "value": "CAPEC-384: Application API Message Manipulation via Man-in-the-Middle"}]}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "affected": [{"versions": [{"status": "affected", "version": "5.0.0", "versionType": "semver", "lessThanOrEqual": "5.8.0"}], "packageName": "check-mk-api", "collectionURL": "https://exchange.checkmk.com/packages", "defaultStatus": "unaffected"}], "references": [{"url": "https://exchange.checkmk.com/p/check-mk-api", "tags": ["product"]}, {"url": "https://github.com/HeinleinSupport/check_mk_extensions/commit/b5a2a7529e3367d7a643e66f05da4f2a27013904", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "shortName": "Checkmk", "dateUpdated": "2025-03-04T07:53:06.307Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47092", "state": "PUBLISHED", "dateUpdated": "2025-03-04T07:53:06.307Z", "dateReserved": "2024-09-18T11:38:53.583Z", "assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "datePublished": "2025-03-03T13:47:18.887Z", "assignerShortName": "Checkmk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1"}], "id": "CVE-2024-47092", "lastModified": "2025-03-03T14:15:33.473", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@checkmk.com", "type": "Secondary"}]}, "published": "2025-03-03T14:15:33.473", "references": [{"source": "security@checkmk.com", "url": "https://exchange.checkmk.com/p/check-mk-api"}, {"source": "security@checkmk.com", "url": "https://github.com/HeinleinSupport/check_mk_extensions/commit/b5a2a7529e3367d7a643e66f05da4f2a27013904"}], "sourceIdentifier": "security@checkmk.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@checkmk.com", "type": "Secondary"}]}