Lucene search

[email protected]CVE-2024-32983

HistoryJun 03, 2024 - 4:15 p.m.

CVE-2024-32983

2024-06-0316:15:08

CWE-863

[email protected]

web.nvd.nist.gov

cve

2024

32983

nvd

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.2%

JSON

Misskey is an open source, decentralized microblogging platform. Misskey doesn’t perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0.

Affected configurations

Vulners

Node

misskey-devmisskeyRange<2024.5.0

CNA Affected

[
  {
    "vendor": "misskey-dev",
    "product": "misskey",
    "versions": [
      {
        "version": "< 2024.5.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88

github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for CVE-2024-32983

nvd1 vulnrichment1 osv1 cvelist1