Lucene search

GitHub_MVULNRICHMENT:CVE-2024-32983

HistoryJun 03, 2024 - 3:16 p.m.

CVE-2024-32983 Misskey allows the impersonation and takeover of remote accounts with unnormalized signed activities

2024-06-0315:16:26

CWE-863

GitHub_M

github.com

cve-2024-32983

misskey

impersonation

takeover

remote accounts

unnormalized signed activities

json structures

activitypub

spoofing

vulnerability

fixed

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Misskey is an open source, decentralized microblogging platform. Misskey doesn’t perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0.

CNA Affected

[
  {
    "vendor": "misskey-dev",
    "product": "misskey",
    "versions": [
      {
        "version": "< 2024.5.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88

github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for VULNRICHMENT:CVE-2024-32983