Home

Description

Insufficient escaping in the report scheduler within Checkmk <2.4.0p13, <2.3.0p38, <2.2.0p46 and 2.1.0 (EOL) allows authenticated attackers to define the storage location of report file pairs beyond their intended root directory.

PUBLISHED Reserved 2025-04-16 | Published 2025-10-09 | Updated 2025-10-09 | Assigner Checkmk




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

2.4.0 before 2.4.0p13
affected

2.3.0 before 2.3.0p38
affected

2.2.0 before 2.2.0p46
affected

2.1.0
affected

Credits

Lisa Gnedt (SBA Research) reporter

References

checkmk.com/werk/17984

cve.org (CVE-2025-39664)

nvd.nist.gov (CVE-2025-39664)

Download JSON