PT-2019-12993 · Misp · Misp
Dawid Czarnecki
·
Published
2019-06-17
·
Updated
2023-09-28
·
CVE-2019-12868
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
MISP version 2.4.109
Description
The issue allows remote command execution by a super administrator due to the use of the PHP
file exists function with user-controlled entries. Specifically, phar:// URLs can trigger deserialization, leading to the vulnerability.Recommendations
For MISP version 2.4.109, consider restricting access to the
app/Model/Server.php file until a patch is available, and avoid using user-controlled entries with the file exists function to minimize the risk of exploitation.Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Misp