CVE-2023-49095 - OpenCVE

nexkey is a microblogging platform. Insufficient validation of ActivityPub requests received in inbox could allow any user to impersonate another user in certain circumstances. This issue has been patched in version 12.122.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nexryai	Nexkey

Configuration 1 [-]

cpe:2.3:a:nexryai:nexkey:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/nexryai/nexkey/commit/b96da0eac5a1e75abba94cf926f1251842829bab
https://github.com/nexryai/nexkey/security/advisories/GHSA-fpxw-rw9v-2gmx

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-30T07:10:10.994Z

Updated: 2024-08-02T21:46:29.222Z

Reserved: 2023-11-21T18:57:30.430Z

Link: CVE-2023-49095

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-11-30T07:15:09.133

Modified: 2023-12-05T17:31:04.357

Link: CVE-2023-49095

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49095", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-21T18:57:30.430Z", "datePublished": "2023-11-30T07:10:10.994Z", "dateUpdated": "2024-08-02T21:46:29.222Z"}, "containers": {"cna": {"title": "nexkey allows arbitrary users to impersonate any remote user due to missing signature validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nexryai/nexkey/security/advisories/GHSA-fpxw-rw9v-2gmx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nexryai/nexkey/security/advisories/GHSA-fpxw-rw9v-2gmx"}, {"name": "https://github.com/nexryai/nexkey/commit/b96da0eac5a1e75abba94cf926f1251842829bab", "tags": ["x_refsource_MISC"], "url": "https://github.com/nexryai/nexkey/commit/b96da0eac5a1e75abba94cf926f1251842829bab"}], "affected": [{"vendor": "nexryai", "product": "nexkey", "versions": [{"version": "< 12.122.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-30T07:10:10.994Z"}, "descriptions": [{"lang": "en", "value": "nexkey is a microblogging platform. Insufficient validation of ActivityPub requests received in inbox could allow any user to impersonate another user in certain circumstances. This issue has been patched in version 12.122.2."}], "source": {"advisory": "GHSA-fpxw-rw9v-2gmx", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:29.222Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nexryai/nexkey/security/advisories/GHSA-fpxw-rw9v-2gmx", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nexryai/nexkey/security/advisories/GHSA-fpxw-rw9v-2gmx"}, {"name": "https://github.com/nexryai/nexkey/commit/b96da0eac5a1e75abba94cf926f1251842829bab", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nexryai/nexkey/commit/b96da0eac5a1e75abba94cf926f1251842829bab"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nexryai:nexkey:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0A765E23-8158-4CD7-ACF2-66ECF9A3FA1E", "versionEndExcluding": "12.122.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "nexkey is a microblogging platform. Insufficient validation of ActivityPub requests received in inbox could allow any user to impersonate another user in certain circumstances. This issue has been patched in version 12.122.2."}, {"lang": "es", "value": "nexkey es una plataforma de microblogging. Una validaci\u00f3n insuficiente de las solicitudes de ActivityPub recibidas en la bandeja de entrada podr\u00eda permitir que cualquier usuario se haga pasar por otro usuario en determinadas circunstancias. Este problema se solucion\u00f3 en la versi\u00f3n 12.122.2."}], "id": "CVE-2023-49095", "lastModified": "2023-12-05T17:31:04.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-30T07:15:09.133", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nexryai/nexkey/commit/b96da0eac5a1e75abba94cf926f1251842829bab"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nexryai/nexkey/security/advisories/GHSA-fpxw-rw9v-2gmx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}