CVE-2024-49363— Misskey 安全漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2024-49363の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Uncontrolled Recursion and Asymmetric Resource Consumption (Amplification) in media/file proxy in Misskey
ソース: NVD (National Vulnerability Database)
脆弱性説明
Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request. Leading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
不对称的资源消耗(放大攻击)
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Misskey 安全漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Misskey是Misskey开源的一个永久免费的开源联合社交媒体平台。 Misskey 2024.10.1及之前版本存在安全漏洞,该漏洞源于未检测到代理循环,允许远程参与者通过恶意制作的注释执行自传播反射/放大分布式拒绝服务。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| misskey-dev | misskey | < CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H | - |
II. CVE-2024-49363の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2024-49363のインテリジェンス情報
请登录查看更多情报信息。
Same Patch Batch · misskey-dev · 2024-12-18 · 6 CVEs total
| CVE-2024-52579 | 6.4 MEDIUM | Server-Side Request Forgery vulnerability in various APIs in Misskey |
| CVE-2024-52590 | Missing validation allows spoofed profiles in Misskey | |
| CVE-2024-52593 | Missing validation allows spoofed "origin" links in Misskey | |
| CVE-2024-52592 | Missing validation allows spoofed poll updates in Misskey | |
| CVE-2024-52591 | Missing validation allows spoofed profiles and notes in Misskey |
IV. 関連脆弱性
同じ製品: misskey
- CVE-2026-28433
Misskey lacks resource ownership validation - CVE-2026-28432
HTTP signature verification can be bypassed - CVE-2026-28431
Misskey lacks proper authorization checks and input validati - CVE-2025-66482
Misskey has a login rate limit bypass via spoofed X-Forwarde - CVE-2025-66402
misskey.js's export data contains private post data
同じベンダー: misskey-dev
- CVE-2026-28433
Misskey lacks resource ownership validation - CVE-2026-28432
HTTP signature verification can be bypassed - CVE-2026-28431
Misskey lacks proper authorization checks and input validati - CVE-2025-66482
Misskey has a login rate limit bypass via spoofed X-Forwarde - CVE-2025-66402
misskey.js's export data contains private post data
同じ弱点: CWE-405
- CVE-2026-35665
OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook - CVE-2026-35626
OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion v - CVE-2026-25611
Pre-Authentication Memory Exhaustion Denial of Service in Mo - CVE-2026-24324
Denial of service (DOS) vulnerability in SAP BusinessObjects - CVE-2026-0485
Denial of service (DOS) vulnerability in SAP BusinessObjects
V. CVE-2024-49363へのコメント
まだコメントはありません