CVE-2022-48328 – This vulnerability in MISP (Malware Information... (How to Fix)

Q: What is the severity of CVE-2022-48328?

CVE-2022-48328 has a CVSS score of 9.8 (CRITICAL). This vulnerability in MISP (Malware Information Sharing Platform) allows SQL injection through mishandled URL parameters in the IndexFilterComponent. Attackers can exploit this to execute arbitrary SQL commands on the database. All MISP instances running vulnerable versions are affected.

📋 TL;DR

This vulnerability in MISP (Malware Information Sharing Platform) allows SQL injection through mishandled URL parameters in the IndexFilterComponent. Attackers can exploit this to execute arbitrary SQL commands on the database. All MISP instances running vulnerable versions are affected.

💻 Affected Systems

Products:

MISP (Malware Information Sharing Platform)

Versions: All versions before 2.4.167

Operating Systems: All operating systems running MISP

Default Config Vulnerable: ⚠️ Yes

Notes: All MISP deployments using the vulnerable component are affected regardless of configuration.

📦 What is this software?

Misp by Misp

View all CVEs affecting Misp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, privilege escalation, or data exfiltration from the MISP database.

🟢

If Mitigated

Limited impact if database permissions are properly restricted and input validation is enforced elsewhere.

🌐 Internet-Facing: HIGH - MISP instances exposed to the internet are directly vulnerable to remote exploitation.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to MISP. The vulnerability is in a core component used for filtering/searching.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.167 and later

Vendor Advisory: https://github.com/MISP/MISP/commit/1edbc2569989f844799261a5f90edfa433d7dbcc

Restart Required: No

Instructions:

1. Backup your MISP instance and database. 2. Update MISP to version 2.4.167 or later using git: 'git pull origin 2.4'. 3. Run the update script: 'sudo -u www-data bash /var/www/MISP/app/Console/cake Admin runUpdates'. 4. Clear caches if necessary.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement additional input validation for URL parameters in application code

Not applicable - requires code modification

Database Permission Restriction

linux

Limit database user permissions to minimum required operations

ALTER USER 'misp_user'@'localhost' WITH GRANT OPTION;
REVOKE DROP, CREATE, ALTER ON misp.* FROM 'misp_user'@'localhost';

🧯 If You Can't Patch

Implement WAF rules to block SQL injection patterns in URL parameters
Restrict access to MISP interface to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check MISP version: 'cd /var/www/MISP && git describe --tags' or check web interface version. If version is earlier than 2.4.167, you are vulnerable.

Check Version:

cd /var/www/MISP && git describe --tags || grep 'appversion' /var/www/MISP/app/Config/config.php

Verify Fix Applied:

Verify version is 2.4.167 or later and check that the IndexFilterComponent.php file contains the security fixes from the referenced commits.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by complex URL parameter requests
Requests with unusual characters in URL parameters (semicolons, quotes, SQL keywords)

Network Indicators:

HTTP requests with SQL keywords in URL parameters
Unusual parameter names in GET requests to MISP endpoints

SIEM Query:

source="misp_access.log" AND (url="*SELECT*" OR url="*UNION*" OR url="*INSERT*" OR url="*DELETE*" OR url="*UPDATE*")

📊 Metadata

CVE ID: CVE-2022-48328

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-755

Published: February 20, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/MISP/MISP/commit/1edbc2569989f844799261a5f90edfa433d7dbcc Patch
https://github.com/MISP/MISP/commit/206f540f0275af2dd2a86275abc199df41e72a21 Patch
https://github.com/MISP/MISP/compare/v2.4.166...v2.4.167 Release Notes
https://zigrin.com/advisories/misp-sql-injection-in-crud-component/ Third Party Advisory
https://zigrin.com/cakephp-application-cybersecurity-research-hiding-in-plain-sight-the-hidden-danger-of-sql-injection-in-input-field-names/ Exploit,Technical Description,Third Party Advisory
https://github.com/MISP/MISP/commit/1edbc2569989f844799261a5f90edfa433d7dbcc Patch
https://github.com/MISP/MISP/commit/206f540f0275af2dd2a86275abc199df41e72a21 Patch
https://github.com/MISP/MISP/compare/v2.4.166...v2.4.167 Release Notes
https://zigrin.com/advisories/misp-sql-injection-in-crud-component/ Third Party Advisory
https://zigrin.com/cakephp-application-cybersecurity-research-hiding-in-plain-sight-the-hidden-danger-of-sql-injection-in-input-field-names/ Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-48328, you might also want to check these: