FKIE_CVE-2024-39687

Vulnerability from fkie_nvd - Published: 2024-07-05 18:15 - Updated: 2024-11-21 09:28
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Summary
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well. Specifically this is a Server Side Request Forgery attack. Users should upgrade to Fedify version 0.9.2, 0.10.1, or 0.11.1 to receive a patch for this issue.
References
security-advisories@github.comhttps://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
security-advisories@github.comhttps://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
security-advisories@github.comhttps://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
af854a3a-2127-422b-91ae-364da2661108https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28
af854a3a-2127-422b-91ae-364da2661108https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba
af854a3a-2127-422b-91ae-364da2661108https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server\u0027s network. This applies to not just resolution of documents containing activities or objects, but also to media URLs as well. Specifically this is a Server Side Request Forgery attack. Users should upgrade to Fedify version 0.9.2, 0.10.1, or 0.11.1 to receive a patch for this issue."
    },
    {
      "lang": "es",
      "value": "Fedify es una biblioteca de TypeScript para crear aplicaciones de servidor federado impulsadas por ActivityPub y otros est\u00e1ndares. En la actualidad, cuando Fedify necesita recuperar un objeto o actividad de un servidor de actividad remoto, realiza una solicitud HTTP al `@id` u otros recursos presentes dentro de la actividad que ha recibido de la web. Esta actividad podr\u00eda hacer referencia a un `@id` que apunta a una direcci\u00f3n IP interna, permitiendo a un atacante enviar solicitudes a recursos internos de la red del servidor de Fedify. Esto se aplica no s\u00f3lo a la resoluci\u00f3n de documentos que contienen actividades u objetos, sino tambi\u00e9n a las URL de medios. Espec\u00edficamente, se trata de un ataque de Server Side Request Forgery. Los usuarios deben actualizar a Fedify versi\u00f3n 0.9.2, 0.10.1 o 0.11.1 para recibir un parche para este problema."
    }
  ],
  "id": "CVE-2024-39687",
  "lastModified": "2024-11-21T09:28:13.397",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-07-05T18:15:32.663",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/dahlia/fedify/commit/30f9cf4a175704a04c874f3ea88414c5f1e00b28"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/dahlia/fedify/commit/c641e976089dd913f649889c1bfb016df04e86ba"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/dahlia/fedify/security/advisories/GHSA-p9cg-vqcc-grcx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.