Executive Summary

This vulnerability is a visibility control issue in the event template creation workflow of MISP. It allowed non-site-admin users to access private galaxies that belong to other organisations. Specifically, when building event templates, the system loaded all enabled galaxies without applying restrictions based on the user's organisation or the galaxy's distribution settings. As a result, private galaxy metadata such as galaxy type and description could be exposed to unauthorized users.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allowed non-site-admin users to access private galaxy metadata belonging to other organizations, potentially exposing sensitive information without proper authorization.

Such unauthorized access to private organizational data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

By exposing private metadata to unauthorized users, the vulnerability could increase the risk of data breaches and violate principles of data confidentiality and privacy mandated by these standards.

The issue was fixed by restricting galaxy visibility for non-site-admin users to only those galaxies owned by their organization or those with non-private distribution, thereby restoring compliance with access control requirements.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized visibility of private galaxies during event template creation by non-site-admin users. Detection would involve verifying whether non-site-admin users can access galaxy metadata that should be restricted.

Since the issue is related to access control in the MISP application, detection can be performed by attempting to list or query galaxies as a non-site-admin user and checking if galaxies from other organisations or private galaxies are visible.

There are no specific network or system commands provided in the resources to detect this vulnerability directly.

However, as a practical approach, you can test the vulnerability by using the MISP API or web interface with a non-site-admin user account and attempt to retrieve event templates or galaxy lists that belong to other organisations.

For example, using curl to query the MISP API for galaxies with a non-site-admin API key and checking if private galaxies from other organisations are returned could help detect the issue.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private galaxy metadata to users who should not have access. If you are a non-site-admin user, you might be able to see sensitive information about galaxies belonging to other organisations, which could compromise confidentiality and potentially expose internal threat intelligence or other sensitive data.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update the MISP installation to include the fix that restricts galaxy visibility for non-site-admin users.

The fix involves modifying the event template creation workflow so that non-site-admin users can only see galaxies belonging to their own organisation or galaxies with a non-private distribution setting.

Ensure that your MISP instance includes the patch from the commit that introduces the `$orgCondition` check in the EventTemplatesController.php file.

Useful 0 Not Useful 0