Any authenticated user may obtain private message details from other users on the same instance
CVE-2024-23649

7.5HIGH

Key Information:

Vendor: Lemmynet
Status: Lemmy
Vendor: CVE Published:; 24 January 2024

What is CVE-2024-23649?

A significant vulnerability exists within the Lemmy link aggregator that allows users to report private messages without being the sender or recipient. This oversight exposes private message content to unauthorized users by including the private message in the API response when reports are created. As a result, any authenticated user can exploit this flaw to access sensitive information by iterating through message IDs. Additionally, users with instance administrator privileges may further exploit this situation, especially if private messages are filtered out in responses. To mitigate potential data exposure, users are urged to update to version 0.19.1 or implement alternate security measures such as blocking the API endpoint in reverse proxies until an update can be applied.

Affected Version(s)

lemmy >= 0.17.0, < 0.19.1

References

https://github.com/LemmyNet/lemmy/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/LemmyNet/lemmy/commit/bc32b408b523b9b6...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2024
Vulnerability Reserved
Jan 19, 2024

CVE-2024-23649 Data

JSON

Lemmynet

What is CVE-2024-23649?

Affected Version(s)

References

CVSS V3.1

Timeline