CVE-2018-6926

MISP/MISP

on github

Published

February 12, 2018

Severity

CVSS v3:

7.2 HIGH

CVSS v2:

9 HIGH

Description

In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator.

References

https://github.com/MISP/MISP/commit/0a2aa9d52492d960b9a161160acedbe9caaa4126

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:misp:misp:2.4.87:::::::*	n/a	n/a	2.4.87

External Links

NVD - CVE-2018-6926