CVE-2020-14969 in MISP
Summary
by MITRE
app/Model/Attribute.php in MISP 2.4.127 lacks an ACL lookup on attribute correlations. This occurs when querying the attribute restsearch API, revealing metadata about a correlating but unreachable attribute.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/23/2026
The vulnerability identified as CVE-2020-14969 resides within the MISP (Malware Information Sharing Platform) software version 2.4.127, specifically in the app/Model/Attribute.php file. This represents a critical access control flaw that undermines the security model of the platform. The issue manifests when the system processes queries through the attribute restsearch API, which is designed to search for and retrieve attribute information. The vulnerability stems from the absence of proper access control list (ACL) validation during attribute correlation lookups, creating a scenario where unauthorized users can potentially access metadata about attributes that they should not be able to reach. This flaw directly violates fundamental security principles of least privilege and access control enforcement that are essential for information security frameworks.
The technical implementation of this vulnerability involves the RESTful API endpoint that handles attribute searches and correlations. When a user performs a search operation that involves correlated attributes, the system fails to validate whether the requesting user has appropriate permissions to access the metadata of the correlated attribute. This creates a situation where sensitive information about attribute relationships and correlations can be exposed to users who lack proper authorization. The flaw operates at the application layer and specifically affects the attribute correlation functionality, which is crucial for threat intelligence sharing and malware analysis within the MISP ecosystem. The vulnerability is classified as a weakness in access control mechanisms, aligning with CWE-284, which deals with insufficient access control or improper access control.
The operational impact of this vulnerability is significant for organizations relying on MISP for threat intelligence sharing and incident response activities. Attackers who can exploit this weakness may gain unauthorized visibility into attribute correlations that could reveal sensitive information about threat patterns, malware families, or attack vectors that should remain private within the organization. This exposure could potentially lead to information disclosure that compromises the integrity of threat intelligence sharing, allowing adversaries to understand the relationships between different threat indicators and potentially identify gaps in an organization's defensive posture. The vulnerability particularly affects collaborative threat intelligence environments where multiple organizations share information through MISP platforms, as it could enable unauthorized access to correlation data that reveals the interconnected nature of various threats. This information disclosure aligns with ATT&CK technique T1005, which involves data from local systems, and could facilitate further exploitation by providing attackers with insights into organizational threat landscape relationships.
Organizations should implement immediate mitigations including updating to patched versions of MISP where the ACL lookup has been properly implemented for attribute correlations. The fix should ensure that all attribute correlation lookups perform proper access control validation before returning any metadata about correlated attributes. System administrators should also review existing access control policies and implement network segmentation to limit exposure of the REST API endpoints. Additional monitoring should be implemented to detect unusual patterns in attribute search queries that might indicate exploitation attempts. The vulnerability demonstrates the importance of comprehensive access control implementation throughout all application components, particularly in threat intelligence platforms where the exposure of correlation relationships could significantly impact the security posture of participating organizations. Regular security assessments and penetration testing should be conducted to identify similar access control weaknesses in other components of the MISP platform and related security tooling.