CVE-2025-32918 | THREATINT

Description

Improper neutralization of Livestatus command delimiters in autocomplete endpoint within the RestAPI of Checkmk versions <2.4.0p6, <2.3.0p35, <2.2.0p44, and 2.1.0 (EOL) allows an authenticated user to inject arbitrary Livestatus commands.

PUBLISHED Reserved 2025-04-14 | Published 2025-07-04 | Updated 2025-07-08 | Assigner Checkmk

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-140: Improper Neutralization of Delimiters

Product status

Default status

unaffected

2.4.0 (semver) before 2.4.0p6

affected

2.3.0 (semver) before 2.3.0p35

affected

2.2.0 (semver) before 2.2.0p44

affected

2.1.0 (semver)

affected

Credits

PS Positive Security GmbH reporter

References

checkmk.com/werk/17987

cve.org (CVE-2025-32918)

nvd.nist.gov (CVE-2025-32918)

Download JSON