| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.5 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, was found in Misskey. Affected is an unknown code. The manipulation with an unknown input leads to a unrestricted upload vulnerability. CWE is classifying the issue as CWE-434. The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue.
The weakness was presented 02/20/2024 as GHSA-qqrm-9grj-6v32. The advisory is available at github.com. This vulnerability is traded as CVE-2024-25636 since 02/08/2024. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1608.002 by the MITRE ATT&CK project.
Upgrading to version 2024.2.0 eliminates this vulnerability. Applying the patch 9a70ce8f5ea9df00001894809f5ce7bc69b14c8a is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
See VDB-138927, VDB-181603, VDB-182112 and VDB-221639 for similar entries.
Product
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔒VulDB CVSS-BT Score: 🔒
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.7VulDB Meta Temp Score: 6.5
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 7.1
CNA Vector (GitHub, Inc.): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Unrestricted uploadCWE: CWE-434 / CWE-284 / CWE-266
CAPEC: 🔒
ATT&CK: 🔒
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: Misskey 2024.2.0
Patch: 9a70ce8f5ea9df00001894809f5ce7bc69b14c8a
Timeline
02/08/2024 CVE reserved02/20/2024 Advisory disclosed
02/20/2024 VulDB entry created
02/20/2024 VulDB entry last update
Sources
Advisory: GHSA-qqrm-9grj-6v32Status: Confirmed
CVE: CVE-2024-25636 (🔒)
See also: 🔒
Entry
Created: 02/20/2024 07:17Changes: 02/20/2024 07:17 (49)
Complete: 🔍
Cache ID: 18:7E0:103
No comments yet. Languages: en.
Please log in to comment.