Main Vulnerability Database SB2023112511

SB2023112511 - Improper Verification of Cryptographic Signature in Misskey

Published: November 25, 2023 Updated: April 28, 2026

Security Bulletin ID SB2023112511

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2023-49079)

The vulnerability allows a remote attacker to impersonate any remote user.

The vulnerability exists due to improper verification of cryptographic signature in inbox signature verification when processing ActivityPub server-to-server federation requests. A remote attacker can send a crafted request with spoofed signature-related headers to impersonate any remote user.

The issue occurs because only the HTTP message signature is validated, while headers such as Digest and Host are not properly validated.

Remediation

Install update from vendor's website.

SB2023112511 - Improper Verification of Cryptographic Signature in Misskey

Breakdown by Severity

Description

Remediation

References

Please verify you're human