CVE-2022-29528 in MISP
Summary
by MITRE • 04/21/2022
An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
The vulnerability CVE-2022-29528 represents a critical security flaw in the Malware Information Sharing Platform MISP prior to version 2.4.158. This issue stems from improper handling of PHAR (PHP Archive) files during the deserialization process, creating a potential attack vector that could be exploited by malicious actors to execute arbitrary code on affected systems. The vulnerability specifically affects the way MISP processes PHAR files, which are commonly used for packaging PHP applications and libraries, making it particularly dangerous in environments where MISP handles external data or user-uploaded content.
The technical flaw manifests when MISP encounters a maliciously crafted PHAR file that triggers the deserialization process without proper validation or sanitization. This occurs because the platform does not adequately verify the integrity of PHAR files before attempting to deserialize them, allowing attackers to craft PHAR files that contain malicious payloads designed to execute arbitrary commands on the target system. The vulnerability is classified under CWE-502 as deserialization of untrusted data, which is a well-documented weakness in software applications that process untrusted input through deserialization mechanisms. This weakness allows attackers to manipulate the deserialization process and execute malicious code with the privileges of the affected application.
The operational impact of this vulnerability is significant, particularly in threat intelligence sharing environments where MISP is extensively used. Attackers could leverage this vulnerability to gain unauthorized access to systems, potentially leading to data breaches, privilege escalation, or complete system compromise. The vulnerability is especially concerning because PHAR files are commonly used in legitimate PHP applications, making it difficult to distinguish between benign and malicious files without proper validation. Organizations using MISP for threat intelligence sharing, incident response, or security operations may be at risk when processing external data feeds, user uploads, or collaborative information sharing that could contain malicious PHAR files.
Mitigation strategies should focus on immediate patching to version 2.4.158 or later, which includes proper validation and sanitization of PHAR files during the deserialization process. Organizations should also implement network segmentation and access controls to limit the exposure of MISP instances to untrusted data sources. Additional defensive measures include implementing strict file validation policies, monitoring for suspicious file uploads, and employing intrusion detection systems that can identify potential exploitation attempts. From a security framework perspective, this vulnerability aligns with ATT&CK technique T1566.002 for phishing with malicious attachments and T1059.007 for command and scripting interpreter PowerShell, as attackers could use this vulnerability to establish persistence or execute malicious commands. The vulnerability also demonstrates the importance of proper input validation and the principle of least privilege in application security design, where applications should never trust external input and should always validate and sanitize data before processing. Organizations should conduct thorough security assessments of their MISP deployments to ensure that no other similar vulnerabilities exist in their threat intelligence infrastructure.