Login Sign Up

CVE-2023-48657

9.8 CRITICAL
SQL Injection

📋 TL;DR

This CVE describes a time-based SQL injection vulnerability in MISP's filter handling in app/Model/AppModel.php. Attackers can exploit this to execute arbitrary SQL queries, potentially leading to data exfiltration or system compromise. All MISP instances running versions before 2.4.176 are affected.

💻 Affected Systems

Products:
  • MISP (Malware Information Sharing Platform)
Versions: All versions before 2.4.176
Operating Systems: All platforms running MISP
Default Config Vulnerable: ⚠️ Yes
Notes: All MISP deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Malware Information Sharing Platform by Misp Project

View all CVEs affecting Malware Information Sharing Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise leading to exfiltration of sensitive threat intelligence data, user credentials, and potential remote code execution on the underlying server.

🟠

Likely Case

Data exfiltration from MISP database including threat intelligence, user information, and potentially authentication data.

🟢

If Mitigated

Limited impact with proper network segmentation, database permissions, and monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to MISP. The vulnerability is in filter handling which is commonly used in MISP interfaces.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.176

Vendor Advisory: https://github.com/MISP/MISP/commit/08bd23281ead288de678de666ef43ed6de1899fc

Restart Required: Yes

Instructions:

1. Backup your MISP instance and database. 2. Update MISP to version 2.4.176 or later using git pull or package manager. 3. Run the update scripts. 4. Restart the web server and MISP workers.

🔧 Temporary Workarounds

Restrict User Access

all

Limit MISP access to only trusted users and implement strict authentication controls.

Network Segmentation

all

Place MISP instance behind VPN or restrict access to specific IP addresses.

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can access the MISP instance
  • Enable detailed SQL query logging and monitor for suspicious database activity

🔍 How to Verify

Check if Vulnerable:

Check MISP version via web interface or by examining the version file in the installation directory.

Check Version:

grep -i version /var/www/MISP/app/Config/config.php 2>/dev/null || cat /var/www/MISP/VERSION.json 2>/dev/null

Verify Fix Applied:

Verify version is 2.4.176 or later and check that the commit 08bd23281ead288de678de666ef43ed6de1899fc is applied.

📡 Detection & Monitoring

Log Indicators:

  • Unusually long SQL queries in database logs
  • Multiple failed login attempts followed by filter-related requests
  • Time-delayed responses to filter requests

Network Indicators:

  • Unusual patterns in HTTP requests to filter endpoints
  • Large volume of database queries from web application

SIEM Query:

source="misp_logs" AND ("filter" OR "AppModel") AND response_time>5000

📊 Metadata

CVE ID: CVE-2023-48657
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 17, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON