We are reliable, trustworthy, and ready for challenges! Hire Us
MISP – SQL injection in CRUD component
- Home
- Advisories
- MISP – SQL injection in CRUD component
VULNERABILITY
SQL injection in CRUD component
REPORTING DATE
10.11.2022
Affected Vendor
CIRCL – Computer Incident Response Center Luxembourg
Affected Product
MISP – Malware Information Sharing Platform & Open Standards For Threat Information Sharing – https://www.misp-project.org/
Vulnerable version
2.4.166
Fixed version
2.4.167
CVSS
Recommendations
Update to MISP v2.4.167
Vulnerability details
The MISP is an Open Source Threat Intelligence Platform meant for sharing security-related information between various organizations. MISP is supported financially and in terms of resources by Computer Incident Response Center Luxembourg – CIRCL
Areas of the application that use specific CRUD component are vulnerable to SQL injection. A vulnerability allows to extract various information from the database including password hashes, API keys, and other.
This vulnerability was detected with help of Cake Fuzzer: https://github.com/Zigrin-Security/CakeFuzzer
CVE
Credits
Dawid Czarnecki
References
- MISP advisory: https://www.misp-project.org/2023/02/20/Critical_SQL_Injection_Vulnerabilities_Fixed.html/
- CWE-89: http://cwe.mitre.org/data/definitions/89.html
- OWASP SQL injection page: https://www.owasp.org/index.php/SQL_Injection
- OWASL SQL injection prevention cheat sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.