exploitDog

CVE-2017-14337

Опубликовано: 12 сент. 2017

Источник: nvd

CVSS3: 8.1

CVSS2: 6.8

EPSS Низкий

Описание

When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user.

Ссылки

https://github.com/MISP/MISP/commit/be111a470204a974c50682054c9c7d4b94396ed9
Third Party Advisory
https://www.circl.lu/advisory/CVE-2017-14337/
Third Party Advisory
https://github.com/MISP/MISP/commit/be111a470204a974c50682054c9c7d4b94396ed9
Third Party Advisory
https://www.circl.lu/advisory/CVE-2017-14337/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:*

Версия до 2.4.79 (включая)

EPSS

Процентиль: 70%

0.00624

Низкий

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-287

Связанные уязвимости

GHSA-w24v-rj49-6hh3

CVSS3: 8.1

github

больше 3 лет назад

When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user.

EPSS

Процентиль: 70%

0.00624

Низкий

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-287