With this release we resolve critical security vulnerabilities. Please install this update as fast as possible!
Resolved security vulnerabilities
On Jun 4th 2023 tuannq2299 reported a security vulnerability to us. The issue is caused by a race condition and could lead to multiple user accounts, with the same email address.
The report was created through the
huntr.devplatform: https://huntr.dev/bounties/94d50b11-20ca-46e3-9086-dd6836421675/ The issue could only be exploited, by logged in users with access to the user management of openITCOCKPIT.
On Jun 7th 2023 Hieu Dang (GitHub profile, Twitter profile) reported a critical SQL injection in the
sortparameter of the API interface.The issue could only be exploited, by logged in users.
The following issues will be resolved by updating to openITCOCKPIT 4.6.5
| Impact | CVE | Found by | ID | Vulnerability Summary |
|---|---|---|---|---|
| High | CVE-2023-36663 | hiu240900 | ITC-3017 | SQL injection: The sort endpoints of the API are vulnerable for SQL injections. |
| Medium | CVE-2023-3218 | tuannq2299 | ITC-3014 | Race Condition: Create multiple user with the same username |
Both discovered vulnerabilities require a logged in user. We recommend to install the update as fast as possible.
Bugfixes and improvements
Please see the changelog for a complete list of new features, fixed bugs and improvements.
How to Update
Please see the official documentation of how to update openITCOCKPIT.
Many thanks to all researchers! We appreciate your hard work to keep openITCOCKPIT secure ❤️
Your openITCOCKPIT Team