CVE-2018-8949 - OpenCVE

An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Misp-project	Misp

Configuration 1 [-]

cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/MISP/MISP/commit/37720c38d6c617439df0a13e9396fcb26345dadd	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-03T16:21:55

Updated: 2022-10-03T16:21:55

Reserved: 2022-10-03T00:00:00

Link: CVE-2018-8949

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-03-23T17:29:00.337

Modified: 2018-04-19T19:21:33.387

Link: CVE-2018-8949

JSON object: View

Redhat Information

No data.

CWE

CWE-749

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE728CC9-A690-4960-B9D6-B3AD09424F7B", "versionEndExcluding": "2.4.89", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute."}, {"lang": "es", "value": "Se ha descubierto un problema en app/Model/Attribute.php, en versiones anteriores a la 2.4.89 de MISP. Existe un error cr\u00edtico de integridad de API que podr\u00eda permitir a los usuarios eliminar atributos de otros eventos. La edici\u00f3n manipulada de un evento (con un conjunto de ID de atributos en lugar de UUID de atributos) podr\u00eda sobrescribir un atributo existente."}], "id": "CVE-2018-8949", "lastModified": "2018-04-19T19:21:33.387", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-23T17:29:00.337", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/MISP/MISP/commit/37720c38d6c617439df0a13e9396fcb26345dadd"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-749"}], "source": "nvd@nist.gov", "type": "Primary"}]}