CVE-2024-49363

CVSS V2 None CVSS V3 None
Description
Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request. Leading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server.
Overview
  • CVE ID
  • CVE-2024-49363
  • Assigner
  • GitHub_M
  • Vulnerability Status
  • PUBLISHED
  • Published Version
  • 2024-12-18T19:24:34.399Z
  • Last Modified Date
  • 2024-12-18T19:24:34.399Z
Weakness Enumerations
CWE URL
CWE-405 http://cwe.mitre.org/data/definitions/405.html
CWE-674 http://cwe.mitre.org/data/definitions/674.html
References
Reference URL Reference Tags
https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236 x_refsource_CONFIRM
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2024-49363
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49363
History
Created Old Value New Value Data Type Notes
2024-12-19 13:23:19 Added to TrackCVE