CVE-2020-11016

Advisory

Intelmq-manager 2.1.1 includes a fix for CVE-2020-11016: IntelMQ Manager from version 1.1.0 and before version 2.1.1 has a vulnerability where the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

------------------
Bernhard Herzog (Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver (CVE-2020-11016).

Backend
- Fix misspelling of the environmental variable `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANAGER_CONTROLLER_CMD` (an 'a' was missing).
- Fix handling of POST variable `msg` of the message-sending functionality available in the Inspect-tool.

Pages
Monitor
- Fix running commands with the "inspect" widget by fixing the definition of the `CONTROLLER_CMD` in the template (PR 194).

Documentation
- Update supported operating systems in Installation documentation (i.a. PR 191).

Known issues
* Missing CSRF protection (111).
* Graph jumps around on "Add edge" (148).
* wrong error message for new bots with existing ID (152).
* `ALLOWED_PATH=` violates CSP (183).
* Monitor page: Automatic log refresh reset log page to first one (190).

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11016
• https://github.com/certtools/intelmq-manager/commit/b9a2ac43a4f99d764b827108f6a99dc4a9faa013
• https://github.com/certtools/intelmq-manager/security/advisories/GHSA-rrhh-rcgp-q2m2
• https://github.com/certtools/intelmq-manager/releases/tag/2.1.1
• https://lists.cert.at/pipermail/intelmq-users/2020-April/000161.html