CVE-2019-12794

An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them. The potential for abuse only occurs when the host organization creates lower-privilege organization admins instead of the usual site admins. Also, only organization admins of the same organization as the site admin could abuse this.

CVSS v3 6.6 MEDIUM
CVSS v2.0 6.0 MEDIUM

6.6^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability : 0.7 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:P

Exploitability : 6.8 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/MISP/MISP/commit/36b43f1306873cff87b7aa30cdc1a30b38c9c16a	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:misp:misp:2.4.108:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-06-11 17:29

Updated : 2024-02-28 17:08

NVD link : CVE-2019-12794

Mitre link : CVE-2019-12794

CVE.ORG link : CVE-2019-12794

JSON object : View

Products Affected

misp

misp

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2019-12794", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.7}]}, "published": "2019-06-11T17:29:00.550", "references": [{"url": "https://github.com/MISP/MISP/commit/36b43f1306873cff87b7aa30cdc1a30b38c9c16a", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in MISP 2.4.108. Organization admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization's users). This, however, could be abused in a situation where the host organization of an instance creates organization admins. An organization admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them. The potential for abuse only occurs when the host organization creates lower-privilege organization admins instead of the usual site admins. Also, only organization admins of the same organization as the site admin could abuse this."}, {"lang": "es", "value": "Un problema fue descubierto en MISP 2.4.108. Los administradores de la organizaci\u00f3n podr\u00edan restablecer las credenciales de los administradores del sitio (los administradores de la organizaci\u00f3n tienen la capacidad inherente de restablecer las contrase\u00f1as para todos los usuarios de su organizaci\u00f3n). Sin embargo, esto podr\u00eda ser objeto de abuso en una situaci\u00f3n en la que la organizaci\u00f3n anfitriona de una instancia crea administradores de la organizaci\u00f3n. Un administrador de la organizaci\u00f3n podr\u00eda establecer una contrase\u00f1a manualmente para el administrador del sitio o simplemente usar la clave API del administrador del sitio para hacerse pasar por ella. El potencial de abuso solo se produce cuando la organizaci\u00f3n anfitriona crea administradores de organizaci\u00f3n con menos privilegios en lugar de los administradores de sitio habituales. Adem\u00e1s, solo los administradores de la organizaci\u00f3n de la misma organizaci\u00f3n que el administrador del sitio podr\u00edan abusar de esto."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:misp:misp:2.4.108:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "314D6481-0113-470D-A968-DA6CD8806125"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}