News

27-Jan-2021

Monitorix 3.13.0 allows remote attackers to bypass Basic Authentication (if enabled) in a default installation (i.e., an installation without a hosts_deny option). This issue occurred because a new access-control feature was introduced without considering that some existing installations became unsafe, upon an update to 3.13.0, unless the new feature was immediately configured.

More information on the vulnerability: CVE-2021-3325

This new version fixes such security bug introduced in the 3.13.0 and also updates the main configuration file to add the option hosts_deny = all by default inside the auth subsection, in an attempt to make the default behavior more clear.

All users using the 3.13.0 version are advised and encouraged to upgrade to this new version, which resolves the security issue.