CVE-2018-6926

CRITICAL(9.0)

AV:N/AC:L/Au:S/C:C/I:C/A:C

Risk Signal Score23/100 — NIEDRIG

CVSS 9 — Kritisch

EPSS-Score

Exploit-Wahrscheinlichkeit (30 Tage)

CVSS Score

Technische Schwere

Beschreibung

In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator.

Referenzen

https://github.com/MISP/MISP/commit/0a2aa9d52492d960b9a161160acedbe9caaa4126
https://github.com/MISP/MISP/commit/0a2aa9d52492d960b9a161160acedbe9caaa4126