{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32983", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-22T15:14:59.167Z", "datePublished": "2024-06-03T15:16:26.186Z", "dateUpdated": "2024-08-02T02:27:53.540Z"}, "containers": {"cna": {"title": "Misskey allows the impersonation and takeover of remote accounts with unnormalized signed activities", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj"}, {"name": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "tags": ["x_refsource_MISC"], "url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88"}], "affected": [{"vendor": "misskey-dev", "product": "misskey", "versions": [{"version": "< 2024.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-03T15:16:26.186Z"}, "descriptions": [{"lang": "en", "value": "Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0."}], "source": {"advisory": "GHSA-2vxv-pv3m-3wvj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-05T18:23:27.330641Z", "id": "CVE-2024-32983", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T18:23:37.542Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:53.540Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj"}, {"name": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "name": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:53.540Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-05T18:23:27.330641Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T18:23:33.893Z"}}], "cna": {"title": "Misskey allows the impersonation and takeover of remote accounts with unnormalized signed activities", "source": {"advisory": "GHSA-2vxv-pv3m-3wvj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "misskey-dev", "product": "misskey", "versions": [{"status": "affected", "version": "< 2024.5.0"}]}], "references": [{"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "name": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-03T15:16:26.186Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32983", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:27:53.540Z", "dateReserved": "2024-04-22T15:14:59.167Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-03T15:16:26.186Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*", "matchCriteriaId": "2046AAAB-CCA5-4550-94B9-66638A482274", "versionEndExcluding": "2024.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0."}, {"lang": "es", "value": "Misskey es una plataforma de microblogging descentralizada de c\u00f3digo abierto. Misskey no realiza una normalizaci\u00f3n adecuada en las estructuras JSON de los objetos de actividad entrantes firmados de ActivityPub antes de procesarlos, lo que permite a los actores de amenazas falsificar el contenido de las actividades firmadas y hacerse pasar por los autores de las actividades originales. Esta vulnerabilidad se solucion\u00f3 en 2024.5.0."}], "id": "CVE-2024-32983", "lastModified": "2025-11-25T20:37:04.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-03T16:15:08.567", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}