CVE-2018-8949

{"id": "CVE-2018-8949", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": true, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2018-03-23T17:29:00.337", "references": [{"url": "https://github.com/MISP/MISP/commit/37720c38d6c617439df0a13e9396fcb26345dadd", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-749"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in app/Model/Attribute.php in MISP before 2.4.89. There is a critical API integrity bug, potentially allowing users to delete attributes of other events. A crafted edit for an event (without attribute UUIDs but attribute IDs set) could overwrite an existing attribute."}, {"lang": "es", "value": "Se ha descubierto un problema en app/Model/Attribute.php, en versiones anteriores a la 2.4.89 de MISP. Existe un error cr\u00edtico de integridad de API que podr\u00eda permitir a los usuarios eliminar atributos de otros eventos. La edici\u00f3n manipulada de un evento (con un conjunto de ID de atributos en lugar de UUID de atributos) podr\u00eda sobrescribir un atributo existente."}], "lastModified": "2018-04-19T19:21:33.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AE728CC9-A690-4960-B9D6-B3AD09424F7B", "versionEndExcluding": "2.4.89"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}