MISP - Command injection via phar:// deserialization | Web Application Security Testing

DATE

16.06.2019

Affected Vendor

CIRCL – Computer Incident Response Center Luxembourg

Affected Product

MISP – Malware Information Sharing Platform & Open Standards For Threat Information Sharing – https://www.misp-project.org/

Vulnerable version

2.4.109

Fixed version

2.4.110

CVSS

9.1 Critical CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Recommendations

Update to MISP version 2.4.110

Vulnerability details

There is a command execution vulnerability in MISP due to the deserialization of phar files by functions like file_exists or fopen.
It’s only exploitable with admin privileges.

PoC

MISP Command injection

CVE

CVE-2019-12868

Credits

Dawid Czarnecki

References

https://nvd.nist.gov/vuln/detail/CVE-2019-12868
https://github.com/MISP/MISP/commit/c42c5fe92783dd306b7600db1f6a25324445b40c

Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.

Have Any Questions?

MISP – Command injection via phar:// deserialization

NEED A CONSULTATION?

contact@zigrin.com

GPG Key

Get a free consultation