Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
@fedify/fedify: Improper Authentication and Incorrect Authorization
Vulnerability Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5.
CVSS Information
N/A
Vulnerability Type
认证机制不恰当
Vulnerability Title
Fedify 安全漏洞
Vulnerability Description
Fedify是Hong Minhee个人开发者的一个 TypeScript 库。用于构建由 ActivityPub 和其他标准支持的联邦服务器应用程序。 Fedify存在安全漏洞,该漏洞源于身份验证绕过,可能导致任意ActivityPub角色冒充。
CVSS Information
N/A
Vulnerability Type
N/A