CVE-2021-40905

Published: 25/03/2022 Updated: 17/05/2024

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute code in this manner

Vulnerable Product	Search on Vulmon	Subscribe to Product
tribe29 checkmk 2.0.0
tribe29 checkmk

CVE-2021-40905 - RCE via a crafted mkp file Application: CheckMK Management Web Console Software Revision: Less than or equal to 200p17 Attack type: RCE Solution: TBD or the MKPs shared on [exchangecheckmkcom/] are manually reviewed by CheckMk and they look for malicious code or suspicious imports, etc Summary: The web management console of CheckMk Enterprise Edit

CWE-434 http://checkmk.com https://github.com/Edgarloyola/CVE-2021-40905 https://nvd.nist.gov https://github.com/Edgarloyola/CVE-2021-40905

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2021-40905

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect