5.3 CVE-2025-3506

Files to be deployed with agents are accessible without authentication in Checkmk 2.1.0, Checkmk 2.2.0, Checkmk 2.3.0 and <Checkmk 2.4.0b6 allows attacker to access files that could contain secrets.
https://nvd.nist.gov/vuln/detail/CVE-2025-3506

Categories

CWE-497 : Exposure of Sensitive System Information to an Unauthorized Control Sphere
The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs Code analysis product passes access tokens as a command-line parameter or through an environment variable, making them visible to other processes via the ps command.

References

security@checkmk.com

https://checkmk.com/werk/17348 Vendor Advisory

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:checkmk:checkmk::::::::	>= 2.1.0	<= 2.3.0
cpe:2.3:a:checkmk:checkmk:2.4.0:-::::::
cpe:2.3:a:checkmk:checkmk:2.4.0:b1::::::
cpe:2.3:a:checkmk:checkmk:2.4.0:b2::::::
cpe:2.3:a:checkmk:checkmk:2.4.0:b3::::::
cpe:2.3:a:checkmk:checkmk:2.4.0:b4::::::
cpe:2.3:a:checkmk:checkmk:2.4.0:b5::::::

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
170	Web Application Fingerprinting An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks. [Request fingerprinting] Use automated tools or send web server specific commands to web server and wait for server's response. [Increase the accuracy of server fingerprinting of Web servers] Attacker usually needs to send several different commands to accurately identify the web server. Attacker can also use automated tools to send requests to the server. The responses of the server may be different in terms of protocol behavior. [Identify Web Application Software] After the web server platform software has been identified, the attacker start to identify web application technologies such as ASP, .NET, PHP and Java on the server. [Identify Backend Database Version] Determining the database engine type can assist attackers' attempt to successfully execute SQL injection. Some database API such as ODBC will show a database type as part of the driver information when reporting an error.	Low
694	System Location Discovery [System Locale Information Discovery] The adversary examines system information from various sources such as registry and native API functions and correlates the gathered information to infer the geographical location of the target system	Very Low

MITRE

Techniques

id	description
T1614	System Language Discovery
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee

cpe	start	end
Configuration 1
cpe:2.3:a:checkmk:checkmk::::::::	>= 2.1.0	<= 2.3.0
cpe:2.3:a:checkmk:checkmk:2.4.0:-::::::
cpe:2.3:a:checkmk:checkmk:2.4.0:b1::::::
cpe:2.3:a:checkmk:checkmk:2.4.0:b2::::::
cpe:2.3:a:checkmk:checkmk:2.4.0:b3::::::
cpe:2.3:a:checkmk:checkmk:2.4.0:b4::::::
cpe:2.3:a:checkmk:checkmk:2.4.0:b5::::::