一、 漏洞 CVE-2024-49363 基础信息
漏洞标题
Misskey中media/file代理的不受控递归和资源消耗(放大)
来源:AIGC 神龙大模型
漏洞描述信息
N/A
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
来源:AIGC 神龙大模型
漏洞类别
未加控制的资源消耗(资源穷尽)
来源:AIGC 神龙大模型
漏洞标题
Uncontrolled Recursion and Asymmetric Resource Consumption (Amplification) in media/file proxy in Misskey
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request. Leading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
来源:美国国家漏洞数据库 NVD
漏洞类别
不对称的资源消耗(放大攻击)
来源:美国国家漏洞数据库 NVD
漏洞标题
Misskey 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Misskey是Misskey开源的一个永久免费的开源联合社交媒体平台。 Misskey 2024.10.1及之前版本存在安全漏洞,该漏洞源于未检测到代理循环,允许远程参与者通过恶意制作的注释执行自传播反射/放大分布式拒绝服务。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2024-49363 的公开POC
# POC 描述 源链接 神龙链接
三、漏洞 CVE-2024-49363 的情报信息