Horizon Alert
Summary of the vulnerability and why it matters
This advisory addresses a flaw in MISP Core related to how it handles bulk deletions of event reports and sharing groups. The issue allowed users with broad permissions to delete content and configurations belonging to other organizations, potentially leading to data loss across the platform. The primary concern is to confirm if your deployment is affected and what exposure it may have.
- Access control flaw in bulk delete functions.
- Confirms relevance and exposure of MISP.
- Understand potential for unauthorized data deletion.
Attack Path
How an attacker could exploit the issue
An attacker with contributor-level access could exploit this vulnerability by sending specially crafted requests to delete event reports or sharing groups they do not own. This bypasses checks designed to protect data belonging to other organizations, leading to the loss of critical information.
- Authenticated user with broad permissions.
- Bulk deletion endpoints.
- Loss of event-report or sharing-group data.
Live Threat
Current exploitation, exposure, and threat context
An authenticated user with broad role permissions could delete event reports or sharing groups that do not belong to their organization. This could lead to the irreversible loss of valuable threat intelligence data or misconfiguration of data sharing settings across the entire MISP instance.
- Event reports or sharing groups.
- Authenticated user abuses bulk delete functions.
- Loss of threat intelligence data.
Operational Fix
Recommended remediation, mitigation, and detection steps
This vulnerability in MISP Core's bulk deletion functionality impacts the platform administration and security teams. Action should begin with identifying all MISP instances, confirming their exposure, and locating the specific owner for each instance to prioritize remediation efforts.
- Own by MISP platform administrators.
- Verify instance reachability and owner.
- Plan remediation during maintenance windows.