Arbitrary User Access Vulnerability in MISP before 2.4.80 with X.509 Certificate Authentication and Non-MISP External User Management ReST API

Arbitrary User Access Vulnerability in MISP before 2.4.80 with X.509 Certificate Authentication and Non-MISP External User Management ReST API

CVE-2017-14337 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:P

When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user.

Learn more about our Api Penetration Testing.