OS Command Injection in MISP - CVE-2018-6926
Published: February 12, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU37546
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-6926
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: misp-project.org
Affected software:
MISP
MISP
Detailed vulnerability description
The vulnerability allows a remote privileged user to execute arbitrary code.
In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator.
How to mitigate CVE-2018-6926
Install update from vendor's website.