CVE-2024-32983 - Vulnerability Details - OpenCVE

Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88
https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj

History

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00125}`	epss `{'score': 0.00126}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-03T15:16:26.186Z

Updated: 2024-08-02T02:27:53.540Z

Reserved: 2024-04-22T15:14:59.167Z

Link: CVE-2024-32983

Vulnrichment

Updated: 2024-08-02T02:27:53.540Z

NVD

Status : Awaiting Analysis

Published: 2024-06-03T16:15:08.567

Modified: 2024-11-21T09:16:10.010

Link: CVE-2024-32983

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32983", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-22T15:14:59.167Z", "datePublished": "2024-06-03T15:16:26.186Z", "dateUpdated": "2024-08-02T02:27:53.540Z"}, "containers": {"cna": {"title": "Misskey allows the impersonation and takeover of remote accounts with unnormalized signed activities", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj"}, {"name": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "tags": ["x_refsource_MISC"], "url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88"}], "affected": [{"vendor": "misskey-dev", "product": "misskey", "versions": [{"version": "< 2024.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-03T15:16:26.186Z"}, "descriptions": [{"lang": "en", "value": "Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0."}], "source": {"advisory": "GHSA-2vxv-pv3m-3wvj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-05T18:23:27.330641Z", "id": "CVE-2024-32983", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T18:23:37.542Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:53.540Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj"}, {"name": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "name": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:53.540Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-05T18:23:27.330641Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T18:23:33.893Z"}}], "cna": {"title": "Misskey allows the impersonation and takeover of remote accounts with unnormalized signed activities", "source": {"advisory": "GHSA-2vxv-pv3m-3wvj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "misskey-dev", "product": "misskey", "versions": [{"status": "affected", "version": "< 2024.5.0"}]}], "references": [{"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "name": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-03T15:16:26.186Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32983", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:27:53.540Z", "dateReserved": "2024-04-22T15:14:59.167Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-03T15:16:26.186Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Misskey is an open source, decentralized microblogging platform. Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. This vulnerability is fixed in 2024.5.0."}, {"lang": "es", "value": "Misskey es una plataforma de microblogging descentralizada de c\u00f3digo abierto. Misskey no realiza una normalizaci\u00f3n adecuada en las estructuras JSON de los objetos de actividad entrantes firmados de ActivityPub antes de procesarlos, lo que permite a los actores de amenazas falsificar el contenido de las actividades firmadas y hacerse pasar por los autores de las actividades originales. Esta vulnerabilidad se solucion\u00f3 en 2024.5.0."}], "id": "CVE-2024-32983", "lastModified": "2024-11-21T09:16:10.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-03T16:15:08.567", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88"}, {"source": "security-advisories@github.com", "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/misskey-dev/misskey/commit/d2a5bb39e344fcb84a24ae60faafe4694b227b88"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}