<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">

CVE-2020-29006: MISP Lacks ACL checks (Confused Deputy)

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.

1.1        Vulnerability Summary

MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyElement.php.

Picture9

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base score of this vulnerability is 9.8 critical. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

1.3        Affected Version

Affected versions are: MISP before 2.4.135.

1.4        Vulnerability Attribution

This vulnerability is reported by MITRE.

1.5        Risk Impact

MISP Threat Sharing is an open-source threat intelligence platform. The project develops utilities and documentation for more effective threat intelligence, by sharing indicators of compromise. More than 6000 organization are using MISP and it is funded by EU. An attacker who can infiltrate the server effectively control the threat sharing feeds which can adversely affect all endpoints that depend on this feed for their signatures. Although a publicly disclosed vulnerability does not exist, enough information is provided in the GitHub link to design an exploit.


1.6        Virsec Security Platform (VSP) Support:

The Virsec Security Platform (VSP)- Web’s Insider-Protect capability can be used to prevent this vulnerability from being exploited. It will add another layer of protection from ACL perspective.


1.7        Reference Links:

Download the full vulnerability report to learn more about this and other important vulnerabilities.