CVE-2023-24028 in MISP
Summary
by MITRE • 01/21/2023
In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/16/2025
The vulnerability identified as CVE-2023-24028 affects MISP version 2.4.167 and specifically targets the access control mechanisms within the ACLComponent.php file. This issue resides in the decaying import function which is responsible for handling data import operations within the MISP framework. The flaw represents a critical authorization bypass vulnerability that allows unauthorized users to perform operations they should not be permitted to execute. The decaying import function is designed to process and import data with specific time-based decay mechanisms, but the access control implementation fails to properly validate user permissions before executing these operations. This weakness creates a pathway for malicious actors to exploit the system's import functionality and potentially gain elevated privileges or access to restricted data.
The technical implementation flaw stems from insufficient input validation and access control checks within the ACLComponent.php file. When the decaying import function is invoked, the system should verify that the requesting user possesses the appropriate privileges to execute such operations. However, the current implementation contains a logic error where access control validation is either bypassed entirely or occurs at an inappropriate stage in the execution flow. This allows attackers to manipulate the import process and potentially execute unauthorized data operations. The vulnerability manifests when users with limited privileges attempt to access the decaying import functionality, which should normally be restricted to administrators or authorized personnel with specific clearance levels.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially enabling attackers to manipulate critical system data and compromise the integrity of the MISP instance. An attacker could leverage this vulnerability to import malicious data, modify existing records, or potentially escalate privileges within the system. The decaying import function typically handles time-sensitive data operations that are crucial for threat intelligence sharing and incident response workflows. If exploited, this vulnerability could result in data corruption, unauthorized information disclosure, or the injection of malicious content into the threat intelligence database. The affected system could become compromised, leading to potential data breaches and undermining the trustworthiness of the shared intelligence.
Security mitigations for this vulnerability should focus on implementing proper access control validation within the ACLComponent.php file and ensuring that all import operations require appropriate authorization checks before execution. Organizations should immediately apply the vendor-provided patch or update to MISP version 2.4.168 or later, which addresses the access control flaw. Additionally, administrators should review and harden the existing access control policies to ensure that only authorized personnel can access sensitive import functions. The implementation should follow established security principles such as least privilege and defense in depth, ensuring that access controls are enforced at multiple layers of the system. Network segmentation and monitoring should also be implemented to detect and prevent unauthorized access attempts to the import functionality. This vulnerability aligns with CWE-284, which describes improper access control issues, and represents a potential pathway for attackers to move laterally within the system according to ATT&CK techniques related to privilege escalation and persistence.