Abstract Advisory Information
An improper access control on the REST API allows to pivot to other MISP instances under specific conditions.
Authors: Guenaëlle De Julis and Céline Massompierre
Version affected
Name: MISP
Versions: <= 2.4.114
Common Vulnerability Scoring System
7.7
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Patches
The vulnerability is patched in version 2.4.115
References
https://www.misp-project.org/2019/09/10/MISP.2.4.115.released.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16202
Vulnerability Disclosure Timeline
- 05/09/2019: vulnerability discovered
- 06/09/2019: first contact with MISP Project maintainers
- 06/09/2019: vulnerability confirmed by MISP Project maintainers
- 09/09/2019: patch released and tagged
- 09/09/2019: private disclosure to all known MISP community users
- 10/09/2019: public disclosure