OS Command Injection in misp-project MISP
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-19908 |
| CWE-ID | CWE-78 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
MISP Web applications / CMS |
| Vendor | misp-project.org |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) OS Command Injection
EUVDB-ID: #VU31177
Risk: High
CVSSv4.0: 7.4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2018-19908
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
MitigationInstall update from vendor's website.
Vulnerable software versionsMISP: 2.4.90 - 2.4.98
CPE2.3- cpe:2.3:a:misp-project.org:misp:2.4.90:*:*:*:*:*:*:*
- cpe:2.3:a:misp-project.org:misp:2.4.91:*:*:*:*:*:*:*
- cpe:2.3:a:misp-project.org:misp:2.4.92:*:*:*:*:*:*:*
https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3
https://github.com/MISP/MISP/releases/tag/v2.4.99
https://www.exploit-db.com/exploits/46401/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
