Horizon Alert
Summary of the vulnerability and why it matters
A critical security flaw in MISP, an open-source threat intelligence platform, allows attackers to inject malicious SQL code. This vulnerability could potentially expose sensitive data or allow unauthorized modifications to the platform's database. It is important for organizations using MISP to address this issue promptly.
- Attackers can exploit this remotely.
- Compromised data or system integrity.
- Affects MISP instances.
Attack Path
How an attacker could exploit the issue
An attacker could exploit this SQL injection vulnerability by sending crafted requests to the event and shadow attribute listing endpoints. These requests would manipulate ordering parameters to inject malicious SQL code, potentially leading to unauthorized data access or modification within the MISP database. This attack requires direct access to the vulnerable application endpoints.
- Unauthenticated access to endpoints
- Manipulate order/sort parameters
- Server-side SQL injection
Live Threat
Current exploitation, exposure, and threat context
This SQL injection vulnerability in MISP allows unauthenticated attackers to craft malicious order parameters to manipulate database queries. While the impact can range from data exposure to query modification, the specific threat depends heavily on the database permissions and the context of the query. It is not yet clear if this has been actively weaponized.
- No known public exploit.
- No KEV listing observed.
- Vulnerability is not recently disclosed.
Priority actions
Operational Fix
Recommended remediation, mitigation, and detection steps
Prioritize patching MISP instances to version 2.5.37 or later to address the SQL injection vulnerability. If immediate patching is not feasible, implement strict input validation on ordering parameters and monitor database logs for suspicious query patterns.
- Apply patch 2.5.37 or newer.
- Block SQL injection attempts at WAF.
- Monitor for unusual database queries.
