Lucene search

GoogleOSV:CVE-2024-32983

HistoryJun 03, 2024 - 4:15 p.m.

CVE-2024-32983

2024-06-0316:15:08

Google

osv.dev

misskey

decentralized

microblogging

json

normalization

vulnerability

fix

2024.5.0

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Misskey is an open source, decentralized microblogging platform. Misskey doesn’t perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0.

CPENameOperatorVersion
misskeyeq11.1.1
misskeyeq13.0.0-rc.7
misskeyeq8.16.0
misskeyeq8.6.0
misskeyeq13.14.0-beta.4
misskeyeq8.43.0
misskeyeq12.112.1
misskeyeq10.16.0
misskeyeq10.68.0
misskeyeq2024.2.0-beta.7

Name	Operator	Version
misskey	eq	11.1.1
misskey	eq	13.0.0-rc.7
misskey	eq	8.16.0
misskey	eq	8.6.0
misskey	eq	13.14.0-beta.4
misskey	eq	8.43.0
misskey	eq	12.112.1
misskey	eq	10.16.0
misskey	eq	10.68.0
misskey	eq	2024.2.0-beta.7

Rows per page:

1-10 of 9351

References

github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88

github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for OSV:CVE-2024-32983