CVE-2022-46303

Name of the Vulnerable Software and Affected Versions Checkmk versions 1.6.0 through 1.6.0p29 Checkmk versions 2.0.0 through 2.0.0p27 Checkmk versions 2.1.0 through 2.1.0p10

Description The issue allows an attacker with User Management permissions, as well as LDAP administrators in certain scenarios, to perform arbitrary commands within the context of the application's local permissions due to command injection in SMS notifications.

Recommendations For Checkmk versions 1.6.0 through 1.6.0p29, update to a version later than 1.6.0p29 to resolve the issue. For Checkmk versions 2.0.0 through 2.0.0p27, update to a version later than 2.0.0p27 to resolve the issue. For Checkmk versions 2.1.0 through 2.1.0p10, update to a version later than 2.1.0p10 to resolve the issue. As a temporary workaround, consider restricting access to SMS notifications and User Management permissions to minimize the risk of exploitation.