External risk intelligence

MISP Export Vulnerability Allows Unauthorized File Upload

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-29859

MISP (Malware Information Sharing Platform) is typically deployed as a web-based application intended for collaboration and data exchange. While often restricted to authorized users or specific organizational networks, its core function as a shared portal and web service makes public-facing or internet-reachable deployment a common architectural pattern.

Unrestricted File Upload

Misp Project Misp

before 2.4.187

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in MISP software could allow unauthorized file uploads, potentially impacting system integrity and data confidentiality if exploited. The primary concern is to confirm if our organization utilizes the affected MISP versions and assess any potential exposure.

  • Allows unauthorized file uploads.
  • Matters for system integrity and data.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could reach this vulnerability by uploading a file to MISP. The vulnerability is in the `add_misp_export` feature, which does not properly validate file uploads. Successful exploitation could lead to unauthorized code execution or data manipulation.

  • No authentication needed to access.
  • Uploading a crafted file triggers it.
  • Risk of code execution and data compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to upload arbitrary files to the server when the file upload validation is not correctly performed. Supported conditions include when the affected component is exposed to the network.

  • System files and user data could be compromised.
  • Arbitrary file uploads may occur.
  • Could lead to unauthorized system access.

Operational Fix

Recommended remediation, mitigation, and detection steps

The MISP platform owner and the infrastructure team are likely responsible for addressing this vulnerability. The first practical step is to identify all MISP instances within the environment, determine their network exposure, and assess their business criticality. Once these factors are understood, the accountable owner should be identified, and remediation or mitigation planning can commence based on the assessed risk.

  • Identify MISP instances and exposure.
  • Confirm asset ownership and criticality.
  • Plan remediation or implement mitigations.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MISP and why is it used?

MISP, or Malware Information Sharing Platform, is an open-source software suite designed for gathering, correlating, and distributing indicators of compromise. Security teams and threat intelligence analysts use it as a central hub to manage data about cyber threats, enabling collaborative defense and rapid information sharing between trusted partners and different organizations.

How does CVE-2024-29859 work in plain English?

This vulnerability falls under the weakness class of Unrestricted Upload of File with Dangerous Type. In simple terms, the software fails to properly check or verify files being submitted to the system through a specific export function. Because the application does not validate the nature of these files, an attacker could potentially upload malicious data that the system mistakenly processes or stores, leading to a compromise of the application's integrity.

Do I need to be authenticated to trigger CVE-2024-29859?

No, authentication is not a precondition for this vulnerability. The flaw exists within the processing logic of the file upload mechanism itself, meaning an attacker does not need to have a valid user account or be logged into the platform to attempt an upload. Simply interacting with the affected export component with a crafted file is sufficient to potentially trigger the weakness.

Why is MISP network exposure a factor for CVE-2024-29859?

Halo Surface Signal identifies MISP as a web-based application frequently deployed as a collaborative portal. Because the vulnerability is reachable over a network, instances that are internet-facing are at a higher risk of being reached by external actors. While internal deployments are still susceptible, those accessible via the public internet have a wider attack surface, increasing the likelihood that an unauthorized party could interact with the affected file upload feature.

When should I prioritize fixing this vulnerability?

You should prioritize this by first conducting an inventory to locate all MISP instances running version 2.4.186 or earlier. Once you have identified your footprint, determine which instances are business-critical and which have network exposure. Your primary goal is to engage the platform owners to plan for an update, as upgrading to a patched version is the necessary step to resolve the underlying validation flaw.

References