CVE-2023-31207 MEDIUM

CVE-2023-31207: Automation user secret logged to Apache access log

Vendor Tribe29

Product Checkmk

Weakness CWE-532 · Sensitive info in logs

Published May 2, 2023

Last update January 30, 2025

View on NVD All CVEs

CVSS base score

4.4/10

Attack vector Local

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log.

Key dates

Disclosure timeline

May 2, 2023 CVE published

January 30, 2025 Record updated

Identifiers

CVE CVE-2023-31207

CWE CWE-532

CVSS 4.4 / MEDIUM

Affected versions

Vendor Tribe29

Product Checkmk

Affected ≥ 2.2.0 and ≤ 2.2.0b6

Vendor Tribe29

Product Checkmk

Affected ≥ 2.1.0 and ≤ 2.1.0p26

Vendor Tribe29

Product Checkmk

Affected ≥ 2.0.0 and ≤ 2.0.0p35