CVE-2020-11458

MISP/MISP

on github

Published

April 2, 2020

Severity

CVSS v3:

4.9 MEDIUM

CVSS v2:

4 MEDIUM

Description

app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php.

References

https://github.com/MISP/MISP/commit/30ff4b6451549dae7b526d4fb3a49061311ed477
https://matthias.sdfeu.org/misp-poc.py

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:misp:misp::::::::	n/a	2.4.124	*

External Links

NVD - CVE-2020-11458