Lucene search

[email protected]NVD:CVE-2024-32983

HistoryJun 03, 2024 - 4:15 p.m.

CVE-2024-32983

2024-06-0316:15:08

CWE-863

[email protected]

web.nvd.nist.gov

misskey

microblogging

platform

json spoofing

vulnerability

fixed

2024.5.0

activitypub

threat actors

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Misskey is an open source, decentralized microblogging platform. Misskey doesn’t perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0.

References

github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88

github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for NVD:CVE-2024-32983

osv1 cve1 vulnrichment1 cvelist1