CVE-2024-28826

HIGH

Checkmk <2.3.0p4, <2.2.0p27, <2.1.0p44, 2.0.0 - Path Traversal

Title source: llm

Description

Improper restriction of local upload and download paths in check_sftp in Checkmk before 2.3.0p4, 2.2.0p27, 2.1.0p44, and in Checkmk 2.0.0 (EOL) allows attackers with sufficient permissions to configure the check to read and write local files on the Checkmk site server.

References (1)

[Vendor Advisory] https://checkmk.com/werk/15200

Scores

CVSS v3 8.8

EPSS 0.0044

EPSS Percentile 63.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-610 CWE-73

Status published

Products (1)

checkmk/checkmk 2.1.0 (50 CPE variants)

Published May 29, 2024

Tracked Since Feb 18, 2026