CVE-2024-25108 - OpenCVE

Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server. This vulnerability affects every version of Pixelfed between v0.10.4 and v0.11.9, inclusive. A proof of concept of this vulnerability exists. This vulnerability affects every local user of a Pixelfed server, and can potentially affect the servers' ability to federate. Some user interaction is required to setup the conditions to be able to exercise the vulnerability, but the attacker could conduct this attack time-delayed manner, where user interaction is not actively required. This vulnerability has been addressed in version 0.11.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/pixelfed/pixelfed/commit/7e47d6dccb0393a2e95c42813c562c854882b037
https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-12T20:05:23.549Z

Updated: 2024-02-12T20:05:23.549Z

Reserved: 2024-02-05T14:14:46.378Z

Link: CVE-2024-25108

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-02-12T20:15:08.590

Modified: 2024-02-12T20:39:09.773

Link: CVE-2024-25108

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-25108", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-05T14:14:46.378Z", "datePublished": "2024-02-12T20:05:23.549Z", "dateUpdated": "2024-02-12T20:05:23.549Z"}, "containers": {"cna": {"title": "Insufficient authorization allowing elevated access to resources in pixelfed", "problemTypes": [{"descriptions": [{"cweId": "CWE-280", "lang": "en", "description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges ", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf"}, {"name": "https://github.com/pixelfed/pixelfed/commit/7e47d6dccb0393a2e95c42813c562c854882b037", "tags": ["x_refsource_MISC"], "url": "https://github.com/pixelfed/pixelfed/commit/7e47d6dccb0393a2e95c42813c562c854882b037"}], "affected": [{"vendor": "pixelfed", "product": "pixelfed", "versions": [{"version": ">= 0.10.4, < 0.11.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-12T20:05:23.549Z"}, "descriptions": [{"lang": "en", "value": "Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server. This vulnerability affects every version of Pixelfed between v0.10.4 and v0.11.9, inclusive. A proof of concept of this vulnerability exists. This vulnerability affects every local user of a Pixelfed server, and can potentially affect the servers' ability to federate. Some user interaction is required to setup the conditions to be able to exercise the vulnerability, but the attacker could conduct this attack time-delayed manner, where user interaction is not actively required. This vulnerability has been addressed in version 0.11.11. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-gccq-h3xj-jgvf", "discovery": "UNKNOWN"}}}}

{"descriptions": [{"lang": "en", "value": "Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server. This vulnerability affects every version of Pixelfed between v0.10.4 and v0.11.9, inclusive. A proof of concept of this vulnerability exists. This vulnerability affects every local user of a Pixelfed server, and can potentially affect the servers' ability to federate. Some user interaction is required to setup the conditions to be able to exercise the vulnerability, but the attacker could conduct this attack time-delayed manner, where user interaction is not actively required. This vulnerability has been addressed in version 0.11.11. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Pixelfed es una plataforma para compartir fotograf\u00edas de c\u00f3digo abierto. Al procesar las solicitudes, la autorizaci\u00f3n se verific\u00f3 de manera inadecuada e insuficiente, lo que permiti\u00f3 a los atacantes acceder a muchas m\u00e1s funciones de las que los usuarios pretend\u00edan, incluidas las funciones administrativas y de moderador del servidor Pixelfed. Esta vulnerabilidad afecta a todas las versiones de Pixelfed entre la v0.10.4 y la v0.11.9, inclusive. Existe una prueba de concepto de esta vulnerabilidad. Esta vulnerabilidad afecta a todos los usuarios locales de un servidor Pixelfed y puede afectar potencialmente la capacidad de los servidores para federarse. Se requiere cierta interacci\u00f3n del usuario para configurar las condiciones para poder ejercer la vulnerabilidad, pero el atacante podr\u00eda realizar este ataque de manera retardada, donde no se requiere activamente la interacci\u00f3n del usuario. Esta vulnerabilidad se ha solucionado en la versi\u00f3n 0.11.11. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-25108", "lastModified": "2024-02-12T20:39:09.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-02-12T20:15:08.590", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pixelfed/pixelfed/commit/7e47d6dccb0393a2e95c42813c562c854882b037"}, {"source": "security-advisories@github.com", "url": "https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-280"}, {"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}