External risk intelligence

MISP Blind SQL Injection via Query Parameter Filtering

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2023-48655

MISP (Malware Information Sharing Platform) is commonly deployed as an internet-facing or inter-organizational web application to facilitate the sharing of threat intelligence. As a web-based platform with network-reachable query parameters, it is frequently exposed to external networks to enable connectivity between different trust zones or organizations.

Misp Project Misp

before 2.4.176

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in the MISP platform that could allow unauthorized access and manipulation of data. This issue stems from improper filtering of query parameters within the application's components.

  • Unsafe query handling can expose data.
  • Leadership should note MISP's role in threat intelligence.
  • Verify MISP platform relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker can target a web-based threat intelligence platform by sending specially crafted requests to its web interface. This occurs when the platform fails to properly filter query parameters, potentially allowing an attacker to manipulate database queries. This vulnerability could lead to unauthorized access and modification of sensitive data.

  • No authentication required to trigger.
  • Exploits improper filtering of query parameters.
  • Leads to unauthorized data access and modification.

Live Threat

Current exploitation, exposure, and threat context

When MISP's query parameter filtering is bypassed, it could allow an unauthenticated attacker to inject malicious SQL commands. This could potentially lead to unauthorized access to system data, user data, or sensitive information within the application.

  • System and user data.
  • Query parameters may be manipulated.
  • Unauthorized data access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

The MISP application owner or the platform team managing the instance is responsible for addressing this vulnerability. The first practical step is to locate all deployed MISP instances, assess their external reachability and business criticality, and then confirm the accountable owner for each. Remediation planning should follow based on these findings.

  • Confirm MISP instance ownership and scope.
  • Verify external reachability and business impact.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MISP?

MISP, or Malware Information Sharing Platform, is an open-source software suite designed for gathering, correlating, and distributing indicators of compromise and threat intelligence. Organizations use it to collaborate on cybersecurity investigations and share actionable data across different trust zones. Because it acts as a central repository for sensitive threat data, it is a critical component in defensive security infrastructures.

What does CVE-2023-48655 mean?

This CVE identifies a security weakness known as Improper Encoding or Escaping of Output, categorized as CWE-116. In the context of MISP, the application fails to properly sanitize or filter data submitted through query parameters before processing it. This technical oversight allows the application to incorrectly handle user input, potentially enabling an attacker to interfere with the database queries the system executes.

How can an attacker trigger this vulnerability?

An attacker can initiate this issue by sending specially crafted web requests containing malicious query parameters to a vulnerable MISP instance. The vulnerability does not require any prior authentication or special user privileges to trigger. However, simply browsing the site or interacting with standard, well-formed input features does not activate the flaw; it specifically requires the input of manipulated data designed to bypass the platform's insufficient filtering mechanisms.

Is my MISP instance at risk?

According to Halo Surface Signal, MISP is frequently deployed as an internet-facing web application to support inter-organizational threat intelligence sharing. Because the software is often reachable from external networks to facilitate this connectivity, instances exposed to the public internet are at a higher risk of being targeted. If your MISP deployment is accessible to external entities or sits in a network zone reachable from the web, it should be prioritized for review.

What should I do to address this issue?

The first step is to perform an internal audit to identify all MISP instances currently running within your organization. Confirm which versions are deployed and verify their network exposure and business criticality. Once you have identified these instances and their respective owners, you should verify if they are running a version earlier than 2.4.176. Remediation planning should focus on coordinating the update to a patched version with the team responsible for managing the platform.

References