PT-2024-18267 · Oracle · Sqlplus
Published
2024-03-22
·
Updated
2024-12-04
·
CVE-2024-1742
3.8
Low
| Base vector | Vector | AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Checkmk versions prior to 2.3.0b4 (beta), 2.2.0p24, 2.1.0p41 and 2.0.0 (EOL)
Description:
The invocation of the sqlplus command with sensitive information in the command line in the mk oracle Checkmk agent plugin allows the extraction of this information from the process list.
Recommendations:
For Checkmk versions prior to 2.3.0b4 (beta), update to version 2.3.0b4 (beta) or later.
For Checkmk version 2.2.0, update to version 2.2.0p24 or later.
For Checkmk version 2.1.0, update to version 2.1.0p41 or later.
For Checkmk version 2.0.0, this version is end-of-life, and it is recommended to upgrade to a newer version.
As a temporary workaround, consider avoiding the use of sensitive information in the command line for the sqlplus command in the mk oracle Checkmk agent plugin until a patch is available.
Fix
Weakness Enumeration
Related Identifiers
Affected Products
References · 11
- https://checkmk.com/werk/16234 · Vendor Advisory
- https://osv.dev/vulnerability/UBUNTU-CVE-2024-1742 · Vendor Advisory
- https://ubuntu.com/security/CVE-2024-1742 · Vendor Advisory
- https://cve.org/CVERecord?id=CVE-2024-1742 · Security Note
- https://nvd.nist.gov/vuln/detail/CVE-2024-1742 · Security Note
- https://osv.dev/vulnerability/CVE-2024-1742 · Vendor Advisory
- https://twitter.com/VulmonFeeds/status/1771152246895472648 · Twitter Post
- https://t.me/cvenotify/74426 · Telegram Post
- https://t.me/cvenotify/103029 · Telegram Post
- https://twitter.com/CVEnew/status/1771122719209455620 · Twitter Post
- https://twitter.com/RedPacketSec/status/1772928422622249216 · Twitter Post