CVE-2022-29534 in MISP
Summary
by MITRE • 04/21/2022
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
The vulnerability identified as CVE-2022-29534 resides within the MISP (Malware Information Sharing Platform) software ecosystem, specifically affecting versions prior to 2.4.158. This issue represents a critical security flaw in the user authentication and authorization mechanisms that could potentially allow unauthorized access to systems. MISP is widely utilized by cybersecurity professionals and organizations for sharing threat intelligence and malware information, making this vulnerability particularly concerning from an operational security perspective.
The technical flaw manifests in the UsersController.php file where the password confirmation validation process can be circumvented through manipulation of HTTP headers. Specifically, attackers can exploit this weakness by including the "Accept: application/json" header in their requests, which alters the application's response behavior and effectively bypasses the required password confirmation step. This represents a classic example of improper input validation and insufficient access control mechanisms, aligning with CWE-284 Access Control Issues and CWE-347 Improper Verification of Cryptographic Signature. The vulnerability demonstrates how header manipulation can be leveraged to bypass security controls that are typically enforced through more conventional means such as form validation or session checks.
The operational impact of this vulnerability extends beyond simple credential compromise, as it could enable attackers to perform unauthorized user management activities including password resets, account modifications, and potentially full administrative access to the MISP instance. This weakness creates a pathway for privilege escalation attacks that align with ATT&CK technique T1078 Valid Accounts, where adversaries leverage legitimate credentials to gain access to systems. Organizations relying on MISP for threat intelligence sharing face significant risk as this vulnerability could allow attackers to modify or delete critical threat data, disrupt threat sharing operations, or establish persistent access points within their security infrastructure. The vulnerability affects the integrity and availability of the threat intelligence platform, potentially compromising the security posture of entire organizations that depend on accurate and timely threat information.
Mitigation efforts should focus on immediate patching to version 2.4.158 or later, which contains the necessary fixes for the password confirmation bypass mechanism. Organizations should also implement additional monitoring for suspicious API requests containing unusual header combinations, particularly those involving JSON content negotiation. Network segmentation and access controls should be reviewed to limit exposure of the MISP instance to unauthorized users. Security teams should conduct comprehensive audits of authentication flows and implement proper header validation mechanisms. The fix likely involves strengthening the validation logic in UsersController.php to ensure that password confirmation requirements are enforced regardless of the Accept header value, addressing the underlying CWE-284 access control weakness and preventing unauthorized privilege escalation through header manipulation attacks.