CVE-2017-14337
HIGHMISP < 2.4.80 - Unauthenticated Arbitrary User Access via CertAuth with External API
Title source: llmDescription
When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/MISP/MISP/commit/be111a470204a974c50682054c9c7d4b94396ed9
Third Party Advisory x_refsource_confirm
https://www.circl.lu/advisory/CVE-2017-14337/
Scores
CVSS v3
8.1
EPSS
0.0093
EPSS Percentile
55.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
misp-project/misp
< 2.4.79
Published
Sep 12, 2017
Tracked Since
Feb 18, 2026