CVE-2022-27243 – This vulnerability in MISP allows attackers to ... (How to Fix)

Q: What is the severity of CVE-2022-27243?

CVE-2022-27243 has a CVSS score of 7.8 (HIGH). This vulnerability in MISP allows attackers to perform Local File Inclusion (LFI) through the custom terms file setting. It enables reading arbitrary files on the server, potentially exposing sensitive configuration files or credentials. Organizations running MISP versions before 2.4.156 are affected.

📋 TL;DR

This vulnerability in MISP allows attackers to perform Local File Inclusion (LFI) through the custom terms file setting. It enables reading arbitrary files on the server, potentially exposing sensitive configuration files or credentials. Organizations running MISP versions before 2.4.156 are affected.

💻 Affected Systems

Products:

MISP (Malware Information Sharing Platform)

Versions: All versions before 2.4.156

Operating Systems: All platforms running MISP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to the terms configuration functionality.

📦 What is this software?

Misp by Misp

View all CVEs affecting Misp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive server files like configuration files, SSH keys, or database credentials, leading to complete system compromise.

🟠

Likely Case

Attackers read configuration files containing API keys, database credentials, or other sensitive information that could be used for further attacks.

🟢

If Mitigated

With proper file permissions and web server restrictions, impact is limited to readable files within the web application context.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.156

Vendor Advisory: https://github.com/MISP/MISP/commit/8cc93687dcd68e1774b55a5c4e8125c0c8ddc288

Restart Required: No

Instructions:

1. Backup your MISP instance. 2. Update MISP to version 2.4.156 or later. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict file access permissions

linux

Set strict file permissions on sensitive configuration files and directories

chmod 600 /path/to/sensitive/files
chown root:root /path/to/sensitive/files

Disable custom terms functionality

all

Remove or restrict access to the custom terms configuration if not needed

🧯 If You Can't Patch

Implement strict file system permissions to limit readable files
Use web application firewall rules to block LFI patterns

🔍 How to Verify

Check if Vulnerable:

Check MISP version in web interface or via command line

Check Version:

grep 'appversion' /var/www/MISP/app/Config/config.php | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'

Verify Fix Applied:

Confirm MISP version is 2.4.156 or later

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in web server logs
Multiple requests to terms.ctp with file path parameters

Network Indicators:

HTTP requests containing file path traversal patterns in terms.ctp endpoint

SIEM Query:

source="web_server_logs" AND uri="/users/terms" AND (query="*../*" OR query="*file=*")

📊 Metadata

CVE ID: CVE-2022-27243

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Published: March 18, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/MISP/MISP/commit/8cc93687dcd68e1774b55a5c4e8125c0c8ddc288 Patch,Third Party Advisory
https://github.com/MISP/MISP/commit/8cc93687dcd68e1774b55a5c4e8125c0c8ddc288 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON