CVE-2024-25636

EPSS 0.66%
Veröffentlicht 19.02.2024 20:15:46
Zuletzt bearbeitet 05.02.2025 22:36:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Lack of media type verification of Activity Streams objects allows impersonation and takeover of remote accounts

Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Misskey ≫ Misskey Version < 2024.2.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.66%	0.465

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119

Product

https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308

Product

https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143

Product

https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a

Patch

https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-25636

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-25636

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-25636

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-25636