Description
When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/MISP/MISP/commit/be111a470204a974c50682054c9c7d4b94396ed9
Third Party Advisory x_refsource_confirm
https://www.circl.lu/advisory/CVE-2017-14337/
Scores
CVSS v3
8.1
EPSS
0.0062
EPSS Percentile
70.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
misp-project/misp
< 2.4.79
Published
Sep 12, 2017
Tracked Since
Feb 18, 2026