External risk intelligence

MISP generic template index table vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2021-35502

MISP (Malware Information Sharing Platform) is a web-based application frequently deployed as an internet-facing or edge service to facilitate the sharing of threat intelligence between organizations. Because it acts as a web-accessible platform for collaborative data exchange, it is commonly exposed to network environments where it is reachable by authorized external or internal users.

Misp Project Misp

2.4.144

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability affects MISP, a platform used for sharing threat intelligence. It involves improperly handled data that could potentially lead to widespread compromise of the system and its information. Leadership should be aware of this issue due to the nature of MISP as a collaborative intelligence-sharing tool.

  • Unsanitized data can lead to system compromise.
  • It impacts threat intelligence sharing platforms.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could reach the vulnerable component over the network without needing any special access. The vulnerability exists in how the application handles certain data related to generic templates. When this data is not properly sanitized, it could lead to a compromise of the application.

  • Network access is required.
  • Unsanitized data triggers vulnerability.
  • Allows critical data compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to impact the integrity and availability of the MISP application when specific data is not properly sanitized. The issue lies in how certain data related to generic-template:index is processed, potentially leading to unintended service behavior or information disclosure when supported by the advisory.

  • Application integrity and availability.
  • Unsanitized data processing.
  • Potential for service disruption.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners are likely responsible for addressing this vulnerability in MISP, with potential collaboration from infrastructure or security teams depending on deployment. The first practical step is to identify all instances of the affected MISP application, confirm its network reachability and business criticality, and then assign an owner for remediation planning based on the assessed risk.

  • Assign ownership for MISP instances.
  • Verify network reachability and criticality.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MISP?

MISP, or the Malware Information Sharing Platform, is a specialized, open-source software application designed to help organizations collect, store, and share threat intelligence. Because it functions as a collaborative, web-based hub, users rely on it to exchange technical indicators of compromise and other security data with partners to improve collective defense. It is frequently deployed as a centralized service that must remain reachable to facilitate these ongoing, distributed data exchanges.

What is the vulnerability in CVE-2021-35502?

This CVE describes an input validation failure. In technical terms, the application fails to sanitize specific data processed by its index table templates. Essentially, the software does not properly filter or clean incoming information before handling it, allowing that data to influence how the application behaves. This oversight creates a weakness where the system may inadvertently process malicious input, potentially compromising the application's overall integrity.

How is CVE-2021-35502 triggered?

An attacker triggers this vulnerability by sending specially crafted data that the application then processes through its generic template index. Crucially, this does not require the attacker to have a pre-existing account or administrative credentials. While the vulnerability hinges on the lack of sanitization, it is not triggered by standard, benign navigation of the user interface; it requires the specific, improperly handled data to be present and processed by the system.

Do I need to worry about this MISP vulnerability?

If you manage a MISP instance, you should prioritize this issue. According to Halo Surface Signal, MISP is frequently deployed as an internet-facing or edge service to enable broad intelligence sharing. Because the vulnerability is accessible over the network without requiring prior authentication, any instance reachable by external users or located on a public-facing network segment faces an increased risk of unauthorized interaction.

How should I respond to this vulnerability?

Start by identifying all instances of MISP currently running in your environment. Once you have an inventory, verify the network reachability of each server—specifically noting which are exposed to the internet versus those limited to internal segments—and evaluate their business criticality. Assign a clear owner for each instance to coordinate with security or infrastructure teams to plan and execute the necessary updates to mitigate the risk of compromise.

References