Lucene search

GitHub_MCVELIST:CVE-2023-52139

HistoryDec 29, 2023 - 5:21 p.m.

CVE-2023-52139 Misskey vulnerable to improper authorization when accessing with third-party application

2023-12-2917:21:01

CWE-285

GitHub_M

www.cve.org

misskey

improper authorization

third-party application

confidential information

patch

version 2023.12.1

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.4%

JSON

Misskey is an open source, decentralized social media platform. Third-party applications may be able to access some endpoints or Websocket APIs that are incorrectly specified as kind or secure without the user’s permission and perform operations such as reading or adding non-public content. As a result, if the user who authenticated the application is an administrator, confidential information such as object storage secret keys and SMTP server passwords will be leaked, and general users can also create invitation codes without permission and leak non-public user information. This is patched in version 2023.12.1.

CNA Affected

[
  {
    "vendor": "misskey-dev",
    "product": "misskey",
    "versions": [
      {
        "version": "< 2023.12.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64

github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.4%

JSON

Related for CVELIST:CVE-2023-52139