CVE-2021-31780
📋 TL;DR
This vulnerability in MISP allows information disclosure when editing events with sharing groups. An incorrect sharing group association causes the system to reuse a local ID instead of the proper sharing group, potentially exposing sensitive event data to unauthorized users. All MISP instances running version 2.4.141 are affected.
💻 Affected Systems
- MISP (Malware Information Sharing Platform)
📦 What is this software?
Misp by Misp
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users gain access to sensitive threat intelligence data, including restricted sharing group information, potentially exposing confidential indicators and event details.
Likely Case
Limited information disclosure where users see event data they shouldn't have access to, potentially violating data sharing agreements and privacy requirements.
If Mitigated
Minimal impact with proper access controls and monitoring, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Exploitation requires authenticated access to edit events and knowledge of the vulnerability. The commit shows the specific code flaw.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit a0f08501d2850025892e703f40fb1570c7995478
Vendor Advisory: https://github.com/MISP/MISP/commit/a0f08501d2850025892e703f40fb1570c7995478
Restart Required: No
Instructions:
1. Update MISP to version 2.4.142 or later. 2. Apply the specific commit a0f08501d2850025892e703f40fb1570c7995478 if using custom deployment. 3. Verify the fix by testing event editing with sharing groups.
🔧 Temporary Workarounds
Restrict Event Editing Permissions
allLimit which users can edit events to reduce attack surface
Disable Sharing Group Features
allTemporarily disable sharing group functionality if not critical
🧯 If You Can't Patch
- Implement strict access controls and audit logging for all event editing activities
- Monitor for unusual access patterns to sharing group data and implement network segmentation
🔍 How to Verify
Check if Vulnerable:
Check MISP version via web interface or by examining the installation directory. Version 2.4.141 is vulnerable.Check Version:
Check MISP web interface admin panel or examine /var/www/MISP/VERSION.json fileVerify Fix Applied:
Verify version is 2.4.142 or later, or check that commit a0f08501d2850025892e703f40fb1570c7995478 is applied in the codebase.📡 Detection & Monitoring
Log Indicators:
- Unusual event edit patterns
- Multiple failed sharing group associations
- Access to events outside normal user patterns
Network Indicators:
- Increased API calls to event editing endpoints
- Unusual data export patterns
SIEM Query:
source="misp" AND (event="edit" OR event="update") AND sharing_group_id!=null AND user NOT IN [authorized_users]