{"id":"UBUNTU-CVE-2024-13723","details":"The \"NagVis\" component within Checkmk is vulnerable to remote code execution. An authenticated attacker with administrative level privileges is able to upload a malicious PHP file and modify specific settings to execute the contents of the file as PHP.","modified":"2025-10-24T05:06:48Z","published":"2025-02-04T22:15:00Z","upstream":["CVE-2024-13723"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-13723"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-13723"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2025/02/04/4"},{"type":"REPORT","url":"http://seclists.org/fulldisclosure/2025/Feb/4"},{"type":"REPORT","url":"http://www.openwall.com/lists/oss-security/2025/02/04/4"},{"type":"REPORT","url":"https://checkmk.com/werks?version=2.3.0p10"},{"type":"REPORT","url":"https://korelogic.com/Resources/Advisories/KL-001-2025-002.txt"},{"type":"REPORT","url":"https://www.nagvis.org/downloads/changelog/1.9.42"}],"affected":[{"package":{"name":"check-mk","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/check-mk@1.2.6p12-1ubuntu0.16.04.1+esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.2.6p5-1","1.2.6p12-1","1.2.6p12-1ubuntu0.16.04.1","1.2.6p12-1ubuntu0.16.04.1+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"check-mk-agent","binary_version":"1.2.6p12-1ubuntu0.16.04.1+esm1"},{"binary_name":"check-mk-agent-logwatch","binary_version":"1.2.6p12-1ubuntu0.16.04.1+esm1"},{"binary_name":"check-mk-config-icinga","binary_version":"1.2.6p12-1ubuntu0.16.04.1+esm1"},{"binary_name":"check-mk-config-nagios3","binary_version":"1.2.6p12-1ubuntu0.16.04.1+esm1"},{"binary_name":"check-mk-livestatus","binary_version":"1.2.6p12-1ubuntu0.16.04.1+esm1"},{"binary_name":"check-mk-multisite","binary_version":"1.2.6p12-1ubuntu0.16.04.1+esm1"},{"binary_name":"check-mk-server","binary_version":"1.2.6p12-1ubuntu0.16.04.1+esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-13723.json"}},{"package":{"name":"nagvis","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/nagvis@1:1.7.10+dfsg1-3ubuntu1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.7.10+dfsg1-3","1:1.7.10+dfsg1-3ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"nagvis","binary_version":"1:1.7.10+dfsg1-3ubuntu1"},{"binary_name":"nagvis-demos","binary_version":"1:1.7.10+dfsg1-3ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-13723.json"}},{"package":{"name":"check-mk","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/check-mk@1.2.8p16-1ubuntu0.2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.2.8p16-1ubuntu0.1","1.2.8p16-1ubuntu0.2"],"ecosystem_specific":{"binaries":[{"binary_name":"check-mk-agent","binary_version":"1.2.8p16-1ubuntu0.2"},{"binary_name":"check-mk-agent-logwatch","binary_version":"1.2.8p16-1ubuntu0.2"},{"binary_name":"check-mk-config-icinga","binary_version":"1.2.8p16-1ubuntu0.2"},{"binary_name":"check-mk-livestatus","binary_version":"1.2.8p16-1ubuntu0.2"},{"binary_name":"check-mk-multisite","binary_version":"1.2.8p16-1ubuntu0.2"},{"binary_name":"check-mk-server","binary_version":"1.2.8p16-1ubuntu0.2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-13723.json"}},{"package":{"name":"nagvis","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/nagvis@1:1.7.10+dfsg1-3.2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.7.10+dfsg1-3.2"],"ecosystem_specific":{"binaries":[{"binary_name":"nagvis","binary_version":"1:1.7.10+dfsg1-3.2"},{"binary_name":"nagvis-demos","binary_version":"1:1.7.10+dfsg1-3.2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-13723.json"}},{"package":{"name":"nagvis","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/nagvis@1:1.9.30-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.9.25-2","1:1.9.27-1","1:1.9.28-1","1:1.9.29-1","1:1.9.30-1"],"ecosystem_specific":{"binaries":[{"binary_name":"nagvis","binary_version":"1:1.9.30-1"},{"binary_name":"nagvis-demos","binary_version":"1:1.9.30-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-13723.json"}},{"package":{"name":"nagvis","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/nagvis@1:1.9.40-1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.9.36-1","1:1.9.38-1","1:1.9.39-1","1:1.9.40-1"],"ecosystem_specific":{"binaries":[{"binary_name":"nagvis","binary_version":"1:1.9.40-1"},{"binary_name":"nagvis-demos","binary_version":"1:1.9.40-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-13723.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}