Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-50918: fix: [security] new audit logs lack of ACL controls · MISP/MISP@92888b1

app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.

CVE
Open in Source
#php#auth

Expand Up @@ -91,6 +91,21 @@ public function __construct($request = null, $response = null) ]; }
private function __applyAuditACL(array $user) { $acl = []; if (empty($user[‘Role’][‘perm_site_admin’])) { if (!empty($user[‘Role’][‘perm_admin’])) { // ORG admins can see their own org info $acl = [‘AuditLog.org_id’ => $user[‘org_id’]]; } else { // users can see their own info $acl = [‘AuditLog.user_id’ => $user[‘id’]]; } } return $acl; }
public function admin_index() { $this->paginate[‘fields’][] = 'ip’; Expand Down Expand Up @@ -119,6 +134,10 @@ public function admin_index() ]);
$this->paginate[‘conditions’] = $this->__searchConditions($params); $acl = $this->__applyAuditACL($this->Auth->user()); if ($acl) { $this->paginate[‘conditions’][‘AND’][] = $acl; } $list = $this->paginate();
if ($this->_isRest()) { Expand Down Expand Up @@ -156,7 +175,6 @@ public function eventIndex($eventId, $org = null) if (empty($event)) { throw new NotFoundException(‘Invalid event.’); }
$this->paginate[‘conditions’] = $this->__createEventIndexConditions($event); $this->set('passedArgsArray’, [‘eventId’ => $eventId, ‘org’ => $org]);
Expand Down Expand Up @@ -233,6 +251,7 @@ public function returnDates($org = ‘all’) */ private function __searchConditions(array $params) { $conditions = []; $qbRules = []; foreach ($params as $key => $value) { if ($key === ‘model’ && strpos($value, ‘:’) !== false) { Expand Down Expand Up @@ -263,7 +282,6 @@ private function __searchConditions(array $params) } $this->set('qbRules’, $qbRules);
$conditions = []; if (isset($params[‘user’])) { if (strtoupper($params[‘user’]) === ‘SYSTEM’) { $conditions[‘AuditLog.user_id’] = 0; Expand Down Expand Up @@ -351,7 +369,6 @@ private function __createEventIndexConditions(array $event) // Site admins and event owners can see all changes return [‘event_id’ => $event[‘Event’][‘id’]]; }
$event = $this->AuditLog->Event->fetchEvent($this->Auth->user(), [ ‘eventid’ => $event[‘Event’][‘id’], ‘sgReferenceOnly’ => 1, Expand All @@ -361,7 +378,6 @@ private function __createEventIndexConditions(array $event) ‘includeEventCorrelations’ => false, ‘excludeGalaxy’ => true, ])[0];
$attributeIds = []; $objectIds = []; $proposalIds = array_column($event[‘ShadowAttribute’], ‘id’); Expand Down

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE