cvelistv5 - CVE-2023-50918

CVE-2023-50918 (GCVE-0-2023-50918)

Vulnerability from cvelistv5 – Published: 2023-12-15 00:00 – Updated: 2024-08-02 22:23

Summary

app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/MISP/MISP/commit/92888b1376246…
	https://github.com/MISP/MISP/compare/v2.4.181...v…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T22:23:44.081Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-15T17:31:55.318250",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1"
        },
        {
          "url": "https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-50918",
    "datePublished": "2023-12-15T00:00:00",
    "dateReserved": "2023-12-15T00:00:00",
    "dateUpdated": "2024-08-02T22:23:44.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.4.182\", \"matchCriteriaId\": \"AAC65444-AE99-4A5A-8BD0-C305F956C0ED\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.\"}, {\"lang\": \"es\", \"value\": \"app/Controller/AuditLogsController.php en MISP anterior a 2.4.182 maneja mal las ACL para los registros de auditor\\u00eda.\"}]",
      "id": "CVE-2023-50918",
      "lastModified": "2024-11-21T08:37:31.503",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2023-12-15T18:15:07.723",
      "references": "[{\"url\": \"https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-50918\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2023-12-15T18:15:07.723\",\"lastModified\":\"2024-11-21T08:37:31.503\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.\"},{\"lang\":\"es\",\"value\":\"app/Controller/AuditLogsController.php en MISP anterior a 2.4.182 maneja mal las ACL para los registros de auditor\u00eda.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.4.182\",\"matchCriteriaId\":\"AAC65444-AE99-4A5A-8BD0-C305F956C0ED\"}]}]}],\"references\":[{\"url\":\"https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}

GSD-2023-50918

Vulnerability from gsd - Updated: 2023-12-16 06:01

Details

app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.

Aliases

CVE-2023-50918

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-50918"
      ],
      "details": "app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.",
      "id": "GSD-2023-50918",
      "modified": "2023-12-16T06:01:28.310780Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2023-50918",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1",
            "refsource": "MISC",
            "url": "https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1"
          },
          {
            "name": "https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182",
            "refsource": "MISC",
            "url": "https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "AAC65444-AE99-4A5A-8BD0-C305F956C0ED",
                    "versionEndExcluding": "2.4.182",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs."
          },
          {
            "lang": "es",
            "value": "app/Controller/AuditLogsController.php en MISP anterior a 2.4.182 maneja mal las ACL para los registros de auditor\u00eda."
          }
        ],
        "id": "CVE-2023-50918",
        "lastModified": "2023-12-19T17:18:38.713",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2023-12-15T18:15:07.723",
        "references": [
          {
            "source": "cve@mitre.org",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182"
          }
        ],
        "sourceIdentifier": "cve@mitre.org",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "NVD-CWE-noinfo"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

CERTFR-2023-AVI-1042

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans MISP. Certaines d'entre elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	MISP	MISP	MISP versions antérieures à 2.4.182

References

Title

Publication Time

Tags

Bulletin de sécurité MISP du 18 décembre 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "MISP versions ant\u00e9rieures \u00e0 2.4.182",
      "product": {
        "name": "MISP",
        "vendor": {
          "name": "MISP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-50918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-50918"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-1042",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-12-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans\u003cspan\nclass=\"textit\"\u003e MISP\u003c/span\u003e. Certaines d\u0027entre elles permettent \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9s dans MISP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 MISP du 18 d\u00e9cembre 2023",
      "url": "https://www.misp-project.org/security/"
    }
  ]
}

CERTFR-2023-AVI-1042

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans MISP. Certaines d'entre elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	MISP	MISP	MISP versions antérieures à 2.4.182

References

Title

Publication Time

Tags

Bulletin de sécurité MISP du 18 décembre 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "MISP versions ant\u00e9rieures \u00e0 2.4.182",
      "product": {
        "name": "MISP",
        "vendor": {
          "name": "MISP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-50918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-50918"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-1042",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-12-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans\u003cspan\nclass=\"textit\"\u003e MISP\u003c/span\u003e. Certaines d\u0027entre elles permettent \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9s dans MISP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 MISP du 18 d\u00e9cembre 2023",
      "url": "https://www.misp-project.org/security/"
    }
  ]
}

GHSA-MH7X-8J8H-XVJ8

Vulnerability from github – Published: 2023-12-15 18:30 – Updated: 2023-12-19 18:30

Details

app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-50918"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-15T18:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.",
  "id": "GHSA-mh7x-8j8h-xvj8",
  "modified": "2023-12-19T18:30:30Z",
  "published": "2023-12-15T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50918"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

WID-SEC-W-2023-3164

Vulnerability from csaf_certbund - Published: 2023-12-17 23:00 - Updated: 2023-12-17 23:00

Summary

MISP: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

MISP ist eine Open-Source-Plattform für den Informationsaustausch über Bedrohungen.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MISP ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- UNIX - Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "MISP ist eine Open-Source-Plattform f\u00fcr den Informationsaustausch \u00fcber Bedrohungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MISP ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-3164 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-3164.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-3164 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-3164"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2023-12-17",
        "url": "https://github.com/advisories/GHSA-mh7x-8j8h-xvj8"
      },
      {
        "category": "external",
        "summary": "NIST Vulnerability Database vom 2023-12-17",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50918"
      }
    ],
    "source_lang": "en-US",
    "title": "MISP: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2023-12-17T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:02:53.005+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-3164",
      "initial_release_date": "2023-12-17T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-12-17T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source MISP \u003c 2.4.182",
            "product": {
              "name": "Open Source MISP \u003c 2.4.182",
              "product_id": "T031730",
              "product_identification_helper": {
                "cpe": "cpe:/a:misp:misp:2.4.182"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-50918",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in MISP. ACLs f\u00fcr Audit-Logs werden in app/Controller/AuditLogsController.php unsachgem\u00e4\u00df behandelt. Ein Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen."
        }
      ],
      "release_date": "2023-12-17T23:00:00.000+00:00",
      "title": "CVE-2023-50918"
    }
  ]
}

FKIE_CVE-2023-50918

Vulnerability from fkie_nvd - Published: 2023-12-15 18:15 - Updated: 2024-11-21 08:37

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.

References

URL	Tags
cve@mitre.org	https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1	Patch
cve@mitre.org	https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182	Patch

Impacted products

	Vendor	Product	Version
	misp	misp	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AAC65444-AE99-4A5A-8BD0-C305F956C0ED",
              "versionEndExcluding": "2.4.182",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs."
    },
    {
      "lang": "es",
      "value": "app/Controller/AuditLogsController.php en MISP anterior a 2.4.182 maneja mal las ACL para los registros de auditor\u00eda."
    }
  ],
  "id": "CVE-2023-50918",
  "lastModified": "2024-11-21T08:37:31.503",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-15T18:15:07.723",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/MISP/MISP/commit/92888b1376246c0f20c256aaa3c57b6f12115fa1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/MISP/MISP/compare/v2.4.181...v2.4.182"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-50918 (GCVE-0-2023-50918)

GSD-2023-50918

CERTFR-2023-AVI-1042

Solution

CERTFR-2023-AVI-1042

Solution

GHSA-MH7X-8J8H-XVJ8

WID-SEC-W-2023-3164

FKIE_CVE-2023-50918

Tags

Sightings

Nomenclature