CVE-2022-29528

CRITICAL

Misp < 2.4.158 - Insecure Deserialization

Title source: rule

Description

An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.

References (5)

[Patch, Third Party Advisory] https://github.com/MISP/MISP/commit/0108f1bde2117ac5c1e28d124128f60c8bb09a8e

[Patch, Third Party Advisory] https://github.com/MISP/MISP/commit/93821c0de6a7dd32262ce62212773f43136ca66e

View Patch ZIP pw:eip

[Release Notes, Third Party Advisory] https://github.com/MISP/MISP/compare/v2.4.157...v2.4.158

[Third Party Advisory] https://zigrin.com/advisories/misp-phar-deserialization/

[Exploit, Third Party Advisory] https://zigrin.com/cakephp-application-cybersecurity-research-exploring-the-phar-deserialization-php-vulnerability-a-white-box-testing-example/

Scores

CVSS v3 9.8

EPSS 0.0052

EPSS Percentile 66.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

misp/misp < 2.4.158

Timeline

Published Apr 20, 2022

Tracked Since Feb 18, 2026