CVE-2023-52139

Misskey is an open source, decentralized social media platform. Third-party applications may be able to access some endpoints or Websocket APIs that are incorrectly specified as [kind](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L811) or [secure](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L805) without the user's permission and perform operations such as reading or adding non-public content. As a result, if the user who authenticated the application is an administrator, confidential information such as object storage secret keys and SMTP server passwords will be leaked, and general users can also create invitation codes without permission and leak non-public user information. This is patched in version [2023.12.1](https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64).
Configurations

Configuration 1 (hide)

cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:39

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.6
v2 : unknown
v3 : 9.0
References () https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64 - Patch () https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64 - Patch
References () https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm - Third Party Advisory () https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm - Third Party Advisory

05 Jan 2024, 18:43

Type Values Removed Values Added
References () https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64 - () https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64 - Patch
References () https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm - () https://github.com/misskey-dev/misskey/security/advisories/GHSA-7pxq-6xx9-xpgm - Third Party Advisory
CVSS v2 : unknown
v3 : 9.0
v2 : unknown
v3 : 9.6
CPE cpe:2.3:a:misskey:misskey:*:*:*:*:*:*:*:*
First Time Misskey
Misskey misskey
Summary
  • (es) Misskey es una plataforma de redes sociales descentralizada y de código abierto. Es posible que las aplicaciones de terceros puedan acceder a algunos endpoints o API de Websocket que están especificados incorrectamente como [kind] (https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L811) o [secure](https://github.com/misskey-dev/misskey/blob/406b4bdbe79b5b0b68fcdcb3c4b6e419460a0258/packages/backend/src/server/api/endpoints.ts#L805) sin el permiso del usuario y realizar operaciones como leer o agregar contenido no público. Como resultado, si el usuario que autenticó la aplicación es un administrador, se filtrará información confidencial como claves secretas de almacenamiento de objetos y contraseñas del servidor SMTP, y los usuarios generales también pueden crear códigos de invitación sin permiso y filtrar información de usuario no pública. Esto está parcheado en la versión [2023.12.1] (https://github.com/misskey-dev/misskey/commit/c96bc36fedc804dc840ea791a9355d7df0748e64).

29 Dec 2023, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-12-29 18:15

Updated : 2024-11-21 08:39


NVD link : CVE-2023-52139

Mitre link : CVE-2023-52139

CVE.ORG link : CVE-2023-52139


JSON object : View

Products Affected

misskey

  • misskey
CWE
CWE-285

Improper Authorization