exploitDog

CVE-2019-12868

Опубликовано: 18 июн. 2019

Источник: nvd

CVSS3: 7.2

CVSS2: 6.5

EPSS Низкий

Описание

app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.

Ссылки

https://github.com/MISP/MISP/commit/c42c5fe92783dd306b7600db1f6a25324445b40c
Patch
Third Party Advisory
https://zigrin.com/advisories/misp-command-injection-via-phar-deserialization/
https://github.com/MISP/MISP/commit/c42c5fe92783dd306b7600db1f6a25324445b40c
Patch
Third Party Advisory
https://zigrin.com/advisories/misp-command-injection-via-phar-deserialization/

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:misp:misp:2.4.109:*:*:*:*:*:*:*

EPSS

Процентиль: 83%

0.0196

Низкий

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-502

Связанные уязвимости

GHSA-p73m-v6fq-jvc8

CVSS3: 7.2

github

больше 3 лет назад

app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.

EPSS

Процентиль: 83%

0.0196

Низкий

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-502