In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems (where rh_shell_fix was enabled), and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by the setting being only accessible to the site administrator.
References
Link | Resource |
---|---|
https://github.com/MISP/MISP/commit/0a2aa9d52492d960b9a161160acedbe9caaa4126 | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-10-03T16:21:48
Updated: 2022-10-03T16:21:48
Reserved: 2022-10-03T00:00:00
Link: CVE-2018-6926
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-02-12T17:29:00.323
Modified: 2018-03-16T14:32:09.787
Link: CVE-2018-6926
JSON object: View
Redhat Information
No data.
CWE