An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
Show details on NVD website{
"containers": {
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T08:55:42.256938",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MISP/MISP/commit/312d2d5422235235ddd211dcb6bb5bb09c07791f"
},
{
"url": "https://github.com/MISP/MISP/compare/v2.4.183...v2.4.184"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-25674",
"datePublished": "2024-02-09T00:00:00",
"dateReserved": "2024-02-09T00:00:00",
"dateUpdated": "2024-02-09T08:55:42.256938",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-25674\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2024-02-09T09:15:08.597\",\"lastModified\":\"2024-02-12T14:30:40.343\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema en MISP antes de la versi\u00f3n 2.4.184. La carga del logotipo de la organizaci\u00f3n no es segura debido a la falta de comprobaciones de la extensi\u00f3n del archivo y el tipo MIME.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.4.184\",\"matchCriteriaId\":\"92E5DACC-4136-41BD-AF20-BC889159DB39\"}]}]}],\"references\":[{\"url\":\"https://github.com/MISP/MISP/commit/312d2d5422235235ddd211dcb6bb5bb09c07791f\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/MISP/MISP/compare/v2.4.183...v2.4.184\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]}]}}"
}
}
MISP: Mehrere Schwachstellen
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: MISP ist eine Open-Source-Plattform für den Informationsaustausch über Bedrohungen.
Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in MISP ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen und um Sicherheitsmaßnahmen zu umgehen.
Betroffene Betriebssysteme: - Linux
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "MISP ist eine Open-Source-Plattform f\u00fcr den Informationsaustausch \u00fcber Bedrohungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in MISP ausnutzen, um einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren und um Sicherheitsma\u00dfnahmen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0338 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0338.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0338 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0338"
},
{
"category": "external",
"summary": "GitHub Security Advisory vom 2024-02-09",
"url": "https://github.com/advisories/GHSA-rprw-7v7r-h7jp"
},
{
"category": "external",
"summary": "National Vulnerability Database CVE-2024-25674 vom 2024-02-09",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25674"
},
{
"category": "external",
"summary": "MISP Release 2.4.184 vom 2024-02-09",
"url": "https://github.com/MISP/MISP/releases/tag/v2.4.184"
}
],
"source_lang": "en-US",
"title": "MISP: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-02-08T23:00:00.000+00:00",
"generator": {
"date": "2024-02-15T17:59:47.358+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.0"
}
},
"id": "WID-SEC-W-2024-0338",
"initial_release_date": "2024-02-08T23:00:00.000+00:00",
"revision_history": [
{
"date": "2024-02-08T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c 2.4.184",
"product": {
"name": "Open Source MISP \u003c 2.4.184",
"product_id": "T032655",
"product_identification_helper": {
"cpe": "cpe:/a:misp:misp:2.4.184"
}
}
}
],
"category": "product_name",
"name": "MISP"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-25675",
"notes": [
{
"category": "description",
"text": "Es gibt eine Schwachstelle in MISP in \"app/Controller/JobsController.php\" und \"app/View/Events/export.ctp\". Diese Komponenten pr\u00fcfen nicht, ob eine Anfrage zum Starten eines Exportgenerierungsprozesses die HTTP POST Methode verwendet. Ein Angreifer kann diese Schwachstelle ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
}
],
"release_date": "2024-02-08T23:00:00Z",
"title": "CVE-2024-25675"
},
{
"cve": "CVE-2024-25674",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in MISP aufgrund fehlender Pr\u00fcfungen von Dateierweiterung und MIME-Typ beim \"Organisation logo upload\" Prozess. Ein Angreifer kann diese Schwachstelle ausnutzen, um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen."
}
],
"release_date": "2024-02-08T23:00:00Z",
"title": "CVE-2024-25674"
},
{
"notes": [
{
"category": "description",
"text": "Es gibt eine Schwachstelle in MISP, aufgrund fehlender ACL-Kontrollen in der \"fullChange\"-Funktion der Auditlogs. Ein Angreifer kann dies ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen."
}
],
"release_date": "2024-02-08T23:00:00Z"
}
]
}
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-25674"
],
"details": "An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.",
"id": "GSD-2024-25674",
"modified": "2024-02-10T06:02:58.220453Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2024-25674",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/MISP/MISP/commit/312d2d5422235235ddd211dcb6bb5bb09c07791f",
"refsource": "MISC",
"url": "https://github.com/MISP/MISP/commit/312d2d5422235235ddd211dcb6bb5bb09c07791f"
},
{
"name": "https://github.com/MISP/MISP/compare/v2.4.183...v2.4.184",
"refsource": "MISC",
"url": "https://github.com/MISP/MISP/compare/v2.4.183...v2.4.184"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92E5DACC-4136-41BD-AF20-BC889159DB39",
"versionEndExcluding": "2.4.184",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en MISP antes de la versi\u00f3n 2.4.184. La carga del logotipo de la organizaci\u00f3n no es segura debido a la falta de comprobaciones de la extensi\u00f3n del archivo y el tipo MIME."
}
],
"id": "CVE-2024-25674",
"lastModified": "2024-02-12T14:30:40.343",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-09T09:15:08.597",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/MISP/MISP/commit/312d2d5422235235ddd211dcb6bb5bb09c07791f"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/MISP/MISP/compare/v2.4.183...v2.4.184"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
}
}
}
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.
Show details on source website{
"affected": [],
"aliases": [
"CVE-2024-25674"
],
"database_specific": {
"cwe_ids": [
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-09T09:15:08Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.",
"id": "GHSA-wj6j-6g37-7vch",
"modified": "2024-02-12T15:30:23Z",
"published": "2024-02-09T09:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25674"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/312d2d5422235235ddd211dcb6bb5bb09c07791f"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/compare/v2.4.183...v2.4.184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}