CVE-2024-32983
Last modified
CVE-2024-32983 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. EPSS estimates a 0.40% chance of exploitation in the next 30 days.
Description
Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Misskey | Misskey | < 2024.5.0 |
References
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvjExploit, Vendor Advisory
- https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvjExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-32983?
How severe is CVE-2024-32983?
How do I fix CVE-2024-32983?
Are you affected by CVE-2024-32983?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST