Lucene search

GitHub_MCVELIST:CVE-2021-39195

HistorySep 07, 2021 - 7:00 p.m.

CVE-2021-39195 Server-Side Request Forgery vulnerability in misskey

2021-09-0719:00:12

CWE-918

GitHub_M

www.cve.org

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

7.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.4%

JSON

Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in “Upload from URL” and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running.

CNA Affected

[
  {
    "product": "misskey",
    "vendor": "misskey-dev",
    "versions": [
      {
        "status": "affected",
        "version": "< 12.90.0"
      }
    ]
  }
]

References

github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md#12900-20210904

github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e

github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

7.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.4%

JSON

Related for CVELIST:CVE-2021-39195