CVE-2024-45509: Improper Access Control in MISP Leading to Credential Exposure
CVE-2024-45509: Improper Access Control in MISP Leading to Credential Exposure
Description
On August 26, the security team at Green Tick Nepal Pvt. Ltd., based in Kathmandu, Nepal, identified a vulnerability in MISP (version 2.4.196). The issue is in app/Controller/BookmarksController.php, where access control is insufficiently enforced. This flaw allows unauthorized users, who are not organization administrators, to access sensitive bookmarks data.
Proof of Concept
The Security Team of Green Tick Nepal Pvt. Ltd. demonstrated this vulnerability by publishing a Proof of Concept (POC). The POC reveals that the vulnerability in MISP (version 2.4.196) exposes critical user information in the HTTP response. This includes hashed passwords, authentication keys, TOTP keys of users who created bookmarks. As a result, low-privilege users could access sensitive data of other users.
Solution
- Ensure that access to bookmarks data in BookmarksController.php is restricted based on user roles and permissions.
- Before executing any action in BookmarksController.php, validate the user's role to ensure they have the necessary permissions to access or modify bookmark data.
| CVE-ID | Description | Products |
| CVE-2024-45509 | In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin. | MISP through 2.4.196 |
History
2024-08-25: Vulnerability found.
2024-08-26: Vendor contacted.
2024-08-26: Vendor acknowledged.
2024-09-01: CVE Published.
References
https://vulnerability.circl.lu/vuln/cve-2024-45509
https://nvd.nist.gov/vuln/detail/CVE-2024-45509
