Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Uncontrolled Recursion and Asymmetric Resource Consumption (Amplification) in media/file proxy in Misskey
Vulnerability Description
Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request. Leading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Vulnerability Type
不对称的资源消耗(放大攻击)
Vulnerability Title
Misskey 安全漏洞
Vulnerability Description
Misskey是Misskey开源的一个永久免费的开源联合社交媒体平台。 Misskey 2024.10.1及之前版本存在安全漏洞,该漏洞源于未检测到代理循环,允许远程参与者通过恶意制作的注释执行自传播反射/放大分布式拒绝服务。
CVSS Information
N/A
Vulnerability Type
N/A