CVE-2021-39195

Description

Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running.

Related CPE's

a misskey misskey ********

References

https://github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf

Issue TrackingPatchThird Party Advisory

https://github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e

PatchThird Party Advisory

https://github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md#12900-20210904

Release NotesThird Party Advisory

CvssV3 impact

Version	3.1
VectorString	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AttackVector	NETWORK
AttackComplexity	LOW
PrivilegesRequired	LOW
UserInteraction	NONE
Scope	UNCHANGED
ConfidentialityImpact	HIGH
IntegrityImpact	NONE
AvailabilityImpact	NONE
BaseScore	6.5
BaseSeverity	MEDIUM

CvssV2 impact

AccessComplexity	LOW
ConfidentialityImpact	PARTIAL
AvailabilityImpact	NONE
IntegrityImpact	NONE
BaseScore	4
VectorString	AV:N/AC:L/Au:S/C:P/I:N/A:N
Version	2.0
AccessVector	NETWORK
Authentication	SINGLE

Created by Yello

About Severity.io