Login Sign Up

CVE-2023-31211

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Checkmk allows attackers to use locked credentials due to insufficient authentication flow. Attackers could potentially gain unauthorized access to monitoring systems. Affected are Checkmk installations before versions 2.2.0p18, 2.1.0p38, and 2.0.0p39.

💻 Affected Systems

Products:
  • Checkmk
Versions: All versions before 2.2.0p18, 2.1.0p38, and 2.0.0p39
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Checkmk installations with default authentication configuration are vulnerable.

📦 What is this software?

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Tribe29

View all CVEs affecting Checkmk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of monitoring system leading to data exfiltration, system manipulation, or lateral movement to other systems.

🟠

Likely Case

Unauthorized access to monitoring data and potential privilege escalation within the Checkmk environment.

🟢

If Mitigated

Limited impact with proper network segmentation and strong authentication controls in place.

🌐 Internet-Facing: HIGH - Internet-facing Checkmk instances are directly exploitable without authentication bypass.
🏢 Internal Only: MEDIUM - Internal instances still vulnerable but require network access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires some authentication knowledge but is technically straightforward once understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.0p18, 2.1.0p38, or 2.0.0p39

Vendor Advisory: https://checkmk.com/werk/16227

Restart Required: Yes

Instructions:

1. Backup your Checkmk configuration. 2. Update to the patched version using your package manager. 3. Restart Checkmk services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Checkmk instances to trusted IP addresses only.

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Checkmk instances
  • Enable multi-factor authentication and review all user accounts

🔍 How to Verify

Check if Vulnerable:

Check Checkmk version: omd version

Check Version:

omd version

Verify Fix Applied:

Verify version is 2.2.0p18, 2.1.0p38, or 2.0.0p39 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication attempts
  • Access from unexpected IP addresses
  • Multiple failed login attempts followed by success

Network Indicators:

  • Unusual traffic patterns to Checkmk ports
  • Authentication requests from unauthorized sources

SIEM Query:

source="checkmk.log" AND ("authentication" OR "login") AND status="success" AND src_ip NOT IN [trusted_ips]

📊 Metadata

CVE ID: CVE-2023-31211
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-303
Published: January 12, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31211, you might also want to check these:

CVE-2022-20695 10.0

This vulnerability allows unauthenticated remote attackers to bypass authentication controls on Cisc...

Same vulnerability type (CWE-303)
CVE-2025-13390 10.0

The WP Directory Kit WordPress plugin has an authentication bypass vulnerability that allows unauthe...

Same vulnerability type (CWE-303)
CVE-2025-12419 9.9

This vulnerability allows authenticated attackers with team creation privileges to take over user ac...

Same vulnerability type (CWE-303)