MISP
/
misp-website
mirror of https://github.com/MISP/misp-website
2
0
Fork 0
Code Issues Releases Wiki Activity

Update 2018-12-06-MISP.2.4.99.released.md

pull/8/head
Andras Iklody 2018-12-06 15:37:23 +01:00 committed by GitHub
parent 3c1692bff2
commit 8370628d38
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
_posts/2018-12-06-MISP.2.4.99.released.md
View File

@ -4,9 +4,9 @@ layout: post
featured: /assets/images/misp-small.png
---
A new version of MISP ([2.4.99](https://github.com/MISP/MISP/tree/v2.4.99)) has been released with improvements in the UI, API, STIX import and a critical security vulnerability was fixed.
A new version of MISP ([2.4.99](https://github.com/MISP/MISP/tree/v2.4.99)) has been released with improvements in the UI, API, STIX import and a fixed critical security vulnerability.
Thanks to Francois-Xavier Stellamans from NCI Agency Cyber Security who reported a critical vulnerability in the STIX 1 import code. The vulnerability allows a malicious authenticated user can inject command in an incorrectly escaped variable name (the original final of the STIX file). We strongly urge users to update their MISP instance to the latest version. We also replaced the mechanism of adding original filename as a default internal MISP function to limit further risk in the future. CVE allocation is pending (the page will be updated when we'll receive it).
Thanks to Francois-Xavier Stellamans from NCI Agency Cyber Security who reported a critical vulnerability in the STIX 1 import code. The vulnerability allows a malicious authenticated user to inject commands via an incorrectly escaped variable name (the original name of the STIX file). We strongly urge users to update their MISP instance to the latest version. We also replaced the mechanism of storing the original uploaded files on ingestion with a standardised function that will process the files without passing them to external tools - this reusable system will avoid any similar issues in the future if new similar mechanisms are introduced. CVE allocation is pending (the page will be updated when we receive it).
This release includes the following changes: