Main Vulnerability Database SB2018021212

SB2018021212 - OS Command Injection in misp-project MISP

Published: February 12, 2018 Updated: August 8, 2020

Security Bulletin ID SB2018021212

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) OS Command Injection (CVE-ID: CVE-2018-6926)

The vulnerability allows a remote privileged user to execute arbitrary code.

In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator.

Remediation

Install update from vendor's website.

References

https://github.com/MISP/MISP/commit/0a2aa9d52492d960b9a161160acedbe9caaa4126