{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-013.pdf"
    },
    "title": "Critical SQL injection vulnerabilities in MISP",
    "serial_number": "2023-013",
    "publish_date": "21-02-2023 10:15:00",
    "description": "On February 20, 2023, the MISP project team released advisories regarding 2 critical SQL injection vulnerabilities in MISP Threat Intelligence and Sharing Platform. The team decided to follow a silent fix procedure, releasing several updates in November and December 2022, giving enough time to users to update their instances to a safe version.",
    "url_title": "2023-013",
    "content_markdown": "--- \ntitle: 'Critical SQL injection vulnerabilities in MISP'\nversion: '1.0'\nnumber: '2023-013'\noriginal_date: 'February 20, 2023'\ndate: 'February 21, 2023'\n---\n\n_History:_\n\n* _21/02/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn February 20, 2023, the MISP project team released advisories regarding 2 critical SQL injection vulnerabilities in MISP Threat Intelligence and Sharing Platform [1]. The team decided to follow a silent fix procedure, releasing several updates in November and December 2022, giving enough time to users to update their instances to a safe version.\n\n# Technical Details\n\n**CVE-2022-48329**\n\nThe MISP platform allowed users to provide custom field ordering for certain endpoints such as RestSearch. These ordering were set using URL parameters in the format of `/order:field_name`. However, the `order` parameter of the CakePHP `find()` function is not SQLi safe and thus, the MISP project team has  introduced field allow-listing for any occurrence of custom order fields. Any sorting relying on `/sort:field_name/direction:asc|desc` is unaffected and safe [2].\n\n**CVE-2022-48328**\n\nThe `CRUD` component of the MISP platform would allow for custom search parameters to be passed - and whilst the lookup values are SQLi safe and properly sanitised, the field names themselves are not. With some clever forged requests, these can be abused [2]. \n\n# Affected Products\n\n**CVE-2022-48329** [2]:\n\n- MISP before v2.4.166;\n\n**CVE-2022-48328** [2]:\n\n- MISP before v2.4.167;\n\n# Recommendations\n\nAs the project team released the version `2.4.167` on December 22, 2022, most of the MISP instances should be safe already. Nevertheless, CERT-EU recommends checking running MISP instance versions, and updating MISP Threat Intelligence and Sharing Platform to the latest version, when applicable, as soon as possible.\n\n# References\n\n[1] <https://www.misp-project.org/security/>\n\n[2] <https://www.misp-project.org/2023/02/20/Critical_SQL_Injection_Vulnerabilities_Fixed.html/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>21/02/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On February 20, 2023, the MISP project team released advisories regarding 2 critical SQL injection vulnerabilities in MISP Threat Intelligence and Sharing Platform [1]. The team decided to follow a silent fix procedure, releasing several updates in November and December 2022, giving enough time to users to update their instances to a safe version.</p><h2 id=\"technical-details\">Technical Details</h2><p><strong>CVE-2022-48329</strong></p><p>The MISP platform allowed users to provide custom field ordering for certain endpoints such as RestSearch. These ordering were set using URL parameters in the format of <code>/order:field_name</code>. However, the <code>order</code> parameter of the CakePHP <code>find()</code> function is not SQLi safe and thus, the MISP project team has introduced field allow-listing for any occurrence of custom order fields. Any sorting relying on <code>/sort:field_name/direction:asc|desc</code> is unaffected and safe [2].</p><p><strong>CVE-2022-48328</strong></p><p>The <code>CRUD</code> component of the MISP platform would allow for custom search parameters to be passed - and whilst the lookup values are SQLi safe and properly sanitised, the field names themselves are not. With some clever forged requests, these can be abused [2]. </p><h2 id=\"affected-products\">Affected Products</h2><p><strong>CVE-2022-48329</strong> [2]:</p><ul><li>MISP before v2.4.166;</li></ul><p><strong>CVE-2022-48328</strong> [2]:</p><ul><li>MISP before v2.4.167;</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>As the project team released the version <code>2.4.167</code> on December 22, 2022, most of the MISP instances should be safe already. Nevertheless, CERT-EU recommends checking running MISP instance versions, and updating MISP Threat Intelligence and Sharing Platform to the latest version, when applicable, as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.misp-project.org/security/\">https://www.misp-project.org/security/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.misp-project.org/2023/02/20/Critical_SQL_Injection_Vulnerabilities_Fixed.html/\">https://www.misp-project.org/2023/02/20/Critical_SQL_Injection_Vulnerabilities_Fixed.html/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}