CVE-2024-56200
HIGH
8,6
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: changed
Confidentiality: none
Integrity: none
Availability: high
Description
AI Translation Available
Altair is a fork of Misskey v12. Affected versions lack of request validation and lack of authentication in the image proxy for compressing and resizing remote files could allow attacks that could affect availability, such as by abnormally increasing the CPU usage of the server on which this software is running or placing a heavy load on the network it is using. This issue has been fixed in v12.24Q4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0022
Percentile
0,4th
Updated
EPSS Score Trend (Last 90 Days)
400
Uncontrolled Resource Consumption
DraftCommon Consequences
Security Scopes Affected:
Availability
Access Control
Other
Potential Impacts:
Dos: Crash, Exit, Or Restart
Dos: Resource Consumption (Cpu)
Dos: Resource Consumption (Memory)
Dos: Resource Consumption (Other)
Bypass Protection Mechanism
Other
Applicable Platforms
All platforms may be affected
405
Asymmetric Resource Consumption (Amplification)
IncompleteCommon Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Amplification
Dos: Resource Consumption (Cpu)
Dos: Resource Consumption (Memory)
Dos: Resource Consumption (Other)
Applicable Platforms
Technologies:
Client Server, Not Technology-Specific
https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v23600
https://github.com/nexryai/altair/commit/20bad5155a8d73f8d807c6c1ae0f7b8041331b…
https://github.com/nexryai/altair/security/advisories/GHSA-3pfm-hp96-pfgv