Vulnerability Details : CVE-2017-14337
When MISP before 2.4.80 is configured with X.509 certificate authentication (CertAuth) in conjunction with a non-MISP external user management ReST API, if an external user provides X.509 certificate authentication and this API returns an empty value, the unauthenticated user can be granted access as an arbitrary user.
Vulnerability category: BypassGain privilege
Products affected by CVE-2017-14337
- cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-14337
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-14337
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2017-14337
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-14337
-
https://github.com/MISP/MISP/commit/be111a470204a974c50682054c9c7d4b94396ed9
fix: Fix to certauth pains · MISP/MISP@be111a4 · GitHubThird Party Advisory
-
https://www.circl.lu/advisory/CVE-2017-14337/
CIRCL » CVE-2017-14337 - Vulnerability in MISP (Malware Information Sharing Platform) and Threat Sharing - Vulnerability in CertAuth module when used with external user management APIThird Party Advisory
Jump to