CVE-2022-29528
🔴 Łataj teraz
Deserializacja PHAR w MISP umożliwia zdalne wykonanie kodu.
CVSS
9.8
EPSS
2.1%
Exploit
poc
Vendor
misp-project
Opis źródłowy (NVD)
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
deserialization exploit
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 2.1% |
| Opublikowano (NVD) | 2022-04-20 23:15:08 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-22 19:23:18 UTC |
Referencje
- https://github.com/MISP/MISP/commit/0108f1bde2117ac5c1e28d124128f60c8bb09a8e (cve@mitre.org) [Patch, Third Party Advisory]
- https://github.com/MISP/MISP/commit/93821c0de6a7dd32262ce62212773f43136ca66e (cve@mitre.org) [Patch, Third Party Advisory]
- https://github.com/MISP/MISP/compare/v2.4.157...v2.4.158 (cve@mitre.org) [Release Notes, Third Party Advisory]
- https://zigrin.com/advisories/misp-phar-deserialization/ (cve@mitre.org) [Third Party Advisory]
- https://zigrin.com/cakephp-application-cybersecurity-research-exploring-the-phar-deserialization-php-vulnerability-a-white-box-testing-example/ (cve@mitre.org) [Exploit, Third Party Advisory]