News
27-Jan-2021
Monitorix 3.13.0 allows remote attackers to bypass Basic Authentication (if enabled) in a default installation (i.e., an installation without a hosts_deny
option). This issue occurred because a new access-control feature was introduced without considering that some existing installations became unsafe, upon an update to 3.13.0, unless the new feature was immediately configured.
More information on the vulnerability: CVE-2021-3325
This new version fixes such security bug introduced in the 3.13.0 and also updates the main configuration file to add the option hosts_deny = all
by default inside the auth
subsection, in an attempt to make the default behavior more clear.
All users using the 3.13.0 version are advised and encouraged to upgrade to this new version, which resolves the security issue.