{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-25636", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-08T22:26:33.513Z", "datePublished": "2024-02-19T19:42:20.688Z", "dateUpdated": "2024-08-15T18:36:56.288Z"}, "containers": {"cna": {"title": "Lack of media type verification of Activity Streams objects allows impersonation and takeover of remote accounts", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32"}, {"name": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a", "tags": ["x_refsource_MISC"], "url": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a"}, {"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119", "tags": ["x_refsource_MISC"], "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119"}, {"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308", "tags": ["x_refsource_MISC"], "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308"}, {"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143", "tags": ["x_refsource_MISC"], "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143"}], "affected": [{"vendor": "misskey-dev", "product": "misskey", "versions": [{"version": "< 2024.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-19T19:42:20.688Z"}, "descriptions": [{"lang": "en", "value": "Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue."}], "source": {"advisory": "GHSA-qqrm-9grj-6v32", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:44:09.892Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32"}, {"name": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a"}, {"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119"}, {"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308"}, {"name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143"}]}, {"affected": [{"vendor": "misskey", "product": "misskey", "cpes": ["cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2024.2.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-20T15:05:48.681826Z", "id": "CVE-2024-25636", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T18:36:56.288Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32", "name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a", "name": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119", "name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308", "name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143", "name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:44:09.892Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25636", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-20T15:05:48.681826Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*"], "vendor": "misskey", "product": "misskey", "versions": [{"status": "affected", "version": "0", "lessThan": "2024.2.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T18:35:27.487Z"}}], "cna": {"title": "Lack of media type verification of Activity Streams objects allows impersonation and takeover of remote accounts", "source": {"advisory": "GHSA-qqrm-9grj-6v32", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "misskey-dev", "product": "misskey", "versions": [{"status": "affected", "version": "< 2024.2.0"}]}], "references": [{"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32", "name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a", "name": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119", "name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308", "name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143", "name": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-19T19:42:20.688Z"}}}, "cveMetadata": {"cveId": "CVE-2024-25636", "state": "PUBLISHED", "dateUpdated": "2024-08-15T18:36:56.288Z", "dateReserved": "2024-02-08T22:26:33.513Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-19T19:42:20.688Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Misskey is an open source, decentralized social media platform with ActivityPub support. Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate and take over an account on a remote server that satisfies all of the following properties: allows the threat actor to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Version 2024.2.0 contains a patch for the issue."}, {"lang": "es", "value": "Misskey es una plataforma de redes sociales descentralizada y de c\u00f3digo abierto con soporte ActivityPub. Antes de la versi\u00f3n 2024.2.0, al recuperar objetos remotos de Activity Streams, Misskey no verifica que la respuesta del servidor remoto tenga un valor de encabezado `Content-Type` del tipo de medio Activity Streams, lo que permite a un actor de amenazas cargar un documento de Activity Streams elaborado a un servidor remoto y hacer que una instancia de Misskey lo recupere, si el servidor remoto acepta cargas arbitrarias de usuarios. La vulnerabilidad permite que un actor de amenazas se haga pasar por una cuenta y se haga cargo de ella en un servidor remoto que cumple con todas las siguientes propiedades: permite al actor de amenazas registrar una cuenta; acepta documentos arbitrarios subidos por usuarios y los coloca en el mismo dominio que los actores leg\u00edtimos de Activity Streams; y proporciona documentos subidos por el usuario en respuesta a solicitudes con un valor de encabezado \"Aceptar\" del tipo de medio Activity Streams. La versi\u00f3n 2024.2.0 contiene un parche para el problema."}], "id": "CVE-2024-25636", "lastModified": "2024-02-20T19:50:53.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-02-19T20:15:46.077", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/ApResolverService.ts#L69-L119"}, {"source": "security-advisories@github.com", "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/core/activitypub/models/ApNoteService.ts#L112-L308"}, {"source": "security-advisories@github.com", "url": "https://github.com/misskey-dev/misskey/blob/2024.2.0-beta.10/packages/backend/src/server/api/endpoints/ap/show.ts#L125-L143"}, {"source": "security-advisories@github.com", "url": "https://github.com/misskey-dev/misskey/commit/9a70ce8f5ea9df00001894809f5ce7bc69b14c8a"}, {"source": "security-advisories@github.com", "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}