In Check_MK versions it was possible to get information about the internal user database as unauthenticated user.
The latest oldstable version 1.2.8p25 of Check_MK is vulnerable to an unauthenticated information disclosure through a race condition during the authentication process when trying to authenticate with a valid username and an invalid password.
Check_MK 1.4 or newer is not affected by this issue.
The issue is caused by a logic that saves the number of failed logins for each user. During saving it could happen that parallel calls try to rename a non-exisiting file, which has just been renamed by a previous concurrent process. This causes the Check_MK GUI to fail and generate a crash report disclosing a variety of information, such as internal server paths and detailed user information.
The race condition causing this issue has been fixed with this werk.
This issue is currently identified with the ID: RCESEC-2017-001