MISP SQL Injection Vulnerability in Event and Shadow Attribute Listings

A SQL injection vulnerability has been identified in MISP versions prior to 2.5.37. The issue arises in the event and shadow attribute listing endpoints, where user-controlled ordering parameters are not properly validated before being incorporated into database query ordering clauses. This flaw allows an attacker with access to these endpoints to manipulate the SQL query by crafting a malicious ordering parameter. Depending on the database permissions and query context, this could lead to unauthorized data access, modification of query behavior, or other database-level impacts.

Impact

Exploitation of this vulnerability could result in SQL injection, allowing attackers to manipulate database queries. This could lead to unauthorized data access, modification of query behavior, or other database-level impacts, depending on the exploited query context and database permissions.

Remediation

Users can upgrade to MISP version 2.5.37 or later to address this vulnerability. The patched version removes direct use of user-supplied order parameters, validates ordering fields against allowed model fields or schemas, and constructs order clauses using only validated field names and normalized sort directions.