CVE-2021-40904
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.
La consola de administración web de CheckMK Raw Edition (versiones 1.5.0 a 1.6.0) permite una configuración errónea de la web-app Dokuwiki (instalada por defecto), que permite una inserción de código php. Como resultado, es conseguida una ejecución de código remota. Una explotación con éxito requiere el acceso a la interfaz de administración web, ya sea con credenciales válidas o con una sesión secuestrada por un usuario con el rol de administrador
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-09-13 CVE Reserved
- 2022-03-25 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-10-29 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-276: Incorrect Default Permissions
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| http://checkmk.com | Product |
| URL | Date | SRC |
|---|---|---|
| https://github.com/Edgarloyola/CVE-2021-40904 | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Tribe29 Search vendor "Tribe29" | Checkmk Search vendor "Tribe29" for product "Checkmk" | >= 1.5.0 < 1.6.0 Search vendor "Tribe29" for product "Checkmk" and version " >= 1.5.0 < 1.6.0" | - |
Affected
| ||||||