Misskey is an open source, federated social media platform. Some APIs using `HttpRequestService` do not properly check the target host. This vulnerability allows an attacker to send POST or GET requests to the internal server, which may result in a SSRF attack.It allows an attacker to send POST or GET requests (with some controllable URL parameters) to private IPs, enabling further attacks on internal servers. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Thu, 19 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 18 Dec 2024 19:30:00 +0000

Type Values Removed Values Added
Description Misskey is an open source, federated social media platform. Some APIs using `HttpRequestService` do not properly check the target host. This vulnerability allows an attacker to send POST or GET requests to the internal server, which may result in a SSRF attack.It allows an attacker to send POST or GET requests (with some controllable URL parameters) to private IPs, enabling further attacks on internal servers. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Title Server-Side Request Forgery vulnerability in various APIs in Misskey
Weaknesses CWE-20
CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-12-18T19:22:31.869Z

Updated: 2024-12-19T16:46:52.543Z

Reserved: 2024-11-14T15:05:46.765Z

Link: CVE-2024-52579

cve-icon Vulnrichment

Updated: 2024-12-19T16:46:49.352Z

cve-icon NVD

Status : Received

Published: 2024-12-18T20:15:23.383

Modified: 2024-12-18T20:15:23.383

Link: CVE-2024-52579

cve-icon Redhat

No data.