CVE-2024-32983 - OpenCVE

Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88
https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-03T15:16:26.186Z

Updated: 2024-06-05T18:23:37.542Z

Reserved: 2024-04-22T15:14:59.167Z

Link: CVE-2024-32983

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-06-03T16:15:08.567

Modified: 2024-06-03T19:23:17.807

Link: CVE-2024-32983

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32983", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-22T15:14:59.167Z", "datePublished": "2024-06-03T15:16:26.186Z", "dateUpdated": "2024-06-05T18:23:37.542Z"}, "containers": {"cna": {"title": "Misskey allows the impersonation and takeover of remote accounts with unnormalized signed activities", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj"}, {"name": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "tags": ["x_refsource_MISC"], "url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88"}], "affected": [{"vendor": "misskey-dev", "product": "misskey", "versions": [{"version": "< 2024.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-03T15:16:26.186Z"}, "descriptions": [{"lang": "en", "value": "Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0."}], "source": {"advisory": "GHSA-2vxv-pv3m-3wvj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-05T18:23:27.330641Z", "id": "CVE-2024-32983", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T18:23:37.542Z"}}]}}