Misskey allows the impersonation and takeover of remote accounts with unnormalized signed activities
CVE-2024-32983

8.2HIGH

Key Information:

Vendor: Misskey-dev
Status: Misskey
Vendor: CVE Published:; 3 June 2024

🔔 Create Misskey-dev Vulnerability Alert

What is CVE-2024-32983?

Misskey, an open source decentralized microblogging platform, is exposed to a significant vulnerability due to improper normalization of JSON structures within incoming signed ActivityPub activity objects. This flaw enables threat actors to manipulate the content of these signed activities, potentially impersonating the original authors and undermining the integrity of user interactions. The issue has been identified and addressed in version 2024.5.0, emphasizing the importance of proper data handling in enhancing the security posture.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

misskey < 2024.5.0

References

https://github.com/misskey-dev/misskey/security/advisorie...

x_refsource_CONFIRM

https://github.com/misskey-dev/misskey/commit/d2a5bb39e34...

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2024
Vulnerability Reserved
Apr 22, 2024

JSON

Misskey-dev