CVE-2021-39302 – This vulnerability allows SQL injection in MISP... (How to Fix)

Q: What is the severity of CVE-2021-39302?

CVE-2021-39302 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows SQL injection in MISP (Malware Information Sharing Platform) through the Log.php component. Attackers can execute arbitrary SQL commands by manipulating the 'org' parameter value. Organizations running vulnerable MISP instances with certain configurations are affected.

📋 TL;DR

This vulnerability allows SQL injection in MISP (Malware Information Sharing Platform) through the Log.php component. Attackers can execute arbitrary SQL commands by manipulating the 'org' parameter value. Organizations running vulnerable MISP instances with certain configurations are affected.

💻 Affected Systems

Products:

MISP (Malware Information Sharing Platform)

Versions: 2.4.148 and potentially earlier versions

Operating Systems: All platforms running MISP

Default Config Vulnerable: ✅ No

Notes: Requires specific configurations where the vulnerable Log.php component processes untrusted 'org' parameter values.

📦 What is this software?

Misp by Misp

View all CVEs affecting Misp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, and potential remote code execution on the database server.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the MISP application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 20d9020b76d1f6790c4d84e020d0cc97c929f66b and later versions

Vendor Advisory: https://github.com/MISP/MISP/commit/20d9020b76d1f6790c4d84e020d0cc97c929f66b

Restart Required: Yes

Instructions:

1. Update MISP to version after commit 20d9020b76d1f6790c4d84e020d0cc97c929f66b. 2. Apply the patch from the GitHub commit. 3. Restart the MISP application and web server.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for the 'org' parameter in Log.php

# Modify app/Model/Log.php to sanitize $conditions['org'] input

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict database user permissions to minimize potential damage from successful exploitation

🔍 How to Verify

Check if Vulnerable:

Check if MISP version is 2.4.148 or earlier and review Log.php for unsanitized $conditions['org'] usage

Check Version:

Check MISP version in web interface or configuration files

Verify Fix Applied:

Verify the patch from commit 20d9020b76d1f6790c4d84e020d0cc97c929f66b is applied to Log.php

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts with SQL-like patterns in 'org' parameter

Network Indicators:

HTTP requests containing SQL injection patterns in parameters

SIEM Query:

search 'org' parameter containing SQL keywords (SELECT, UNION, etc.) in web server logs

📊 Metadata

CVE ID: CVE-2021-39302

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: August 19, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/MISP/MISP/commit/20d9020b76d1f6790c4d84e020d0cc97c929f66b Patch,Third Party Advisory
https://github.com/MISP/MISP/commit/20d9020b76d1f6790c4d84e020d0cc97c929f66b Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39302, you might also want to check these: