What is CVE-2024-23649?

CVE-2024-23649 is a high-severity vulnerability in Lemmynet Lemmy, classified under Improper Authorization. CVSS score: 7.5/10. Published 2024-01-24.

How severe is CVE-2024-23649?

High severity. CVSS v3 base score is 7.5 out of 10.

Auth bypass in Lemmynet Lemmy

CVE-2024-23649

Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating…

EPSS: 0.004 (59.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Lemmynet Lemmy — versions >= 0.17.0, < 0.19.1

Weakness classification (CWE)

References

https://github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qv (x_refsource_CONFIRM)
https://github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5 (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-23649?: CVE-2024-23649 is a high-severity vulnerability in Lemmynet Lemmy, classified under Improper Authorization. CVSS score: 7.5/10. Published 2024-01-24.
How severe is CVE-2024-23649?: High severity. CVSS v3 base score is 7.5 out of 10.