CVE-2018-19908 in MISP
Summary
by MITRE
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/19/2025
The vulnerability identified as CVE-2018-19908 represents a critical command injection flaw within the MISP (Malware Information Sharing Platform) software ecosystem. This issue specifically affects MISP versions 2.4.9x prior to 2.4.99 and resides within the STIX 1 import functionality of the application. The vulnerability stems from improper input validation and sanitization within the Event.php model file, which handles the processing of STIX 1.2 formatted threat intelligence data. When users import STIX files into the MISP platform, the system constructs shell commands using user-provided filename strings without adequate escaping or sanitization, creating a pathway for malicious code execution.
The technical flaw manifests in the app/Model/Event.php file where the application directly incorporates user-supplied filenames into shell command constructions without proper sanitization. This classic command injection vulnerability occurs when the system fails to properly escape special characters that could alter the intended command execution flow. An authenticated attacker with access to the MISP platform can manipulate the filename of a malicious STIX file to inject arbitrary shell commands that will be executed with the privileges of the MISP service account. This represents a severe privilege escalation vector that can be exploited to gain unauthorized system access and execute arbitrary code on the host machine.
The operational impact of this vulnerability extends beyond simple code execution, as it enables attackers to potentially compromise the entire MISP infrastructure. Since MISP serves as a critical threat intelligence sharing platform for security professionals and organizations, an attacker who successfully exploits this vulnerability could gain access to sensitive threat intelligence data, manipulate or delete critical information, or even use the compromised system as a pivot point for attacking other systems within the network. The authenticated nature of the attack means that attackers must first obtain valid credentials, but this is often achievable through various social engineering, credential theft, or other attack vectors commonly employed in cyber operations. The vulnerability particularly affects organizations that rely heavily on STIX import functionality for threat intelligence ingestion and automated processing.
Organizations should immediately implement several mitigation strategies to address this vulnerability. The primary remediation involves upgrading to MISP version 2.4.99 or later, which contains the necessary patches to properly sanitize filename inputs before constructing shell commands. Additionally, administrators should enforce strict access controls and monitor user activities within the MISP platform, particularly around import functionality. The implementation of principle of least privilege should ensure that MISP service accounts operate with minimal required permissions. Security teams should also consider implementing network segmentation and monitoring for suspicious command execution patterns. This vulnerability aligns with CWE-78, which specifically addresses OS Command Injection, and falls under ATT&CK technique T1059.001 for Command and Scripting Interpreter, demonstrating how authenticated users can leverage legitimate platform functionality to execute malicious code through improper input handling.