Login Sign Up

CVE-2021-25323

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2021-25323 is an authentication bypass vulnerability in MISP (Malware Information Sharing Platform) where users could change their passwords without providing their current password. This affects all MISP instances running version 2.4.136 with default settings, allowing attackers with access to user accounts to change passwords without authentication.

💻 Affected Systems

Products:
  • MISP (Malware Information Sharing Platform)
Versions: 2.4.136
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with default configuration where require_password_confirmation was not enabled.

📦 What is this software?

Misp by Misp

View all CVEs affecting Misp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with access to a user's session or compromised credentials could change the password, permanently locking out the legitimate user and maintaining persistent access to the account.

🟠

Likely Case

Attackers who gain temporary access to user accounts (through session hijacking or credential theft) could change passwords to maintain persistent access.

🟢

If Mitigated

With proper controls like session management, strong authentication, and monitoring, impact is limited to temporary account compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to a user account (authenticated session or stolen credentials). The vulnerability is simple to exploit once account access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.137 and later

Vendor Advisory: https://github.com/MISP/MISP/commit/afbf95a478b6e94f532ca0776c79da1b08be7eed

Restart Required: No

Instructions:

1. Update MISP to version 2.4.137 or later. 2. Verify that require_password_confirmation is enabled in the configuration. 3. No service restart required for configuration changes.

🔧 Temporary Workarounds

Enable password confirmation requirement

all

Manually enable the require_password_confirmation setting in MISP configuration

Edit MISP configuration file and set 'Security.require_password_confirmation' = true

🧯 If You Can't Patch

  • Enable multi-factor authentication for all user accounts
  • Implement strict session management and monitoring for password change activities

🔍 How to Verify

Check if Vulnerable:

Check MISP version and verify if Security.require_password_confirmation is set to false in configuration

Check Version:

Check MISP web interface footer or database version table

Verify Fix Applied:

Verify MISP version is 2.4.137+ and Security.require_password_confirmation is set to true

📡 Detection & Monitoring

Log Indicators:

  • Multiple password change attempts from same user
  • Password changes without previous password verification logs

Network Indicators:

  • POST requests to password change endpoint without current password parameter

SIEM Query:

source="misp_logs" AND (event="password_change" AND NOT previous_password_verified)

📊 Metadata

CVE ID: CVE-2021-25323
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-640
Published: January 19, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25323, you might also want to check these:

CVE-2023-7028 10.0

This critical vulnerability in GitLab allows attackers to hijack user accounts by intercepting passw...

Same vulnerability type (CWE-640)
CVE-2025-63314 10.0

CVE-2025-63314 is a critical authentication bypass vulnerability in DDSN Interactive Acora CMS v10.7...

Same vulnerability type (CWE-640)
CVE-2021-22731 9.8

This vulnerability allows remote attackers to change passwords on Modicon Managed Switches without a...

Same vulnerability type (CWE-640)