Vulnerability Description
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Misp | Misp | >= 2.4.90, < 2.4.99 |
Related Weaknesses (CWE)
References
- https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3PatchThird Party Advisory
- https://github.com/MISP/MISP/releases/tag/v2.4.99Release NotesThird Party Advisory
- https://www.exploit-db.com/exploits/46401/ExploitThird Party AdvisoryVDB Entry
- https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3PatchThird Party Advisory
- https://github.com/MISP/MISP/releases/tag/v2.4.99Release NotesThird Party Advisory
- https://www.exploit-db.com/exploits/46401/ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2018-19908?
CVE-2018-19908 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abus...
How severe is CVE-2018-19908?
CVE-2018-19908 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-19908?
Check the references section above for vendor advisories and patch information. Affected products include: Misp Misp.