Improper Authorization Affecting lemmy_server package, versions >=0.17.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-LEMMYSERVER-6187357
- published25 Jan 2024
- disclosed24 Jan 2024
- creditRichard Schwab
Introduced: 24 Jan 2024
CVE-2024-23649 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
Affected versions of this package are vulnerable to Improper Authorization via the private_message/report API endpoint. An authenticated user can obtain arbitrary, untargeted private message contents. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they're able to see the resulting reports.
Notes:
Not all mismatching reports should be considered malicious; though a frequent occurrence of them likely indicates an exploitation attempt.
Privileges required depend on the instance configuration; when registrations are enabled without application system, the privileges required are practically none. When registration applications are required, privileges required could be considered low, but this assessment heavily varies by instance.
Workaround
If an update to a fixed Lemmy version is not immediately possible, the API route can be blocked in the reverse proxy. This will prevent anyone from reporting private messages, but it will also prevent exploitation before the update has been applied.
nginx example:
location = /api/v3/private_message/report {
default_type application/json;
return 403 '{"error":"couldnt_create_report"}';
}
PoC
curl -v 'https://myinstance.tld/api/v3/private_message/report' -X POST -H 'Content-Type: application/json' -H 'authorization: Bearer ...' --data-raw '{"private_message_id":1,"reason":"i like reports"}'