#VU35825 Deserialization of Untrusted Data in MISP - CVE-2019-12868

Cybersecurity Help s.r.o.

Published: 2019-06-18 | Updated: 2020-08-08

Vulnerability identifier: #VU35825

Vulnerability risk: Medium

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-12868

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MISP
Web applications / CMS

Vendor: misp-project.org

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.

Mitigation
Install update from vendor's website.

Vulnerable software versions

MISP: 2.4.109

External links
https://github.com/MISP/MISP/commit/c42c5fe92783dd306b7600db1f6a25324445b40c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Deserialization of Untrusted Data in misp-project MISP