SSRF in Misskey-dev Misskey
CVE-2021-39195
Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.002 (47.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.7 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.
Affected products
- Misskey-dev Misskey — versions < 12.90.0
Weakness classification (CWE)
References
- github.com/misskey-dev/misskey/security/advisories/GHSA-mqv7-gxh4-r5vf (x_refsource_CONFIRM)
- github.com/misskey-dev/misskey/commit/e1a8b158e04ad567d92d8daf3cc0898ee18f1a2e (x_refsource_MISC)
- github.com/misskey-dev/misskey/blob/develop/CHANGELOG.md (x_refsource_MISC)
Frequently asked questions
- What is CVE-2021-39195?
- CVE-2021-39195 is a high-severity vulnerability in Misskey-dev Misskey, classified under Server-Side Request Forgery (SSRF). CVSS score: 7.7/10. Published 2021-09-07.
- How severe is CVE-2021-39195?
- High severity. CVSS v3 base score is 7.7 out of 10.