![]() ![]() Prior to version 2024.2.0, when fetching remote Activity Streams objects, Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. Misskey is an open source, decentralized social media platform with ActivityPub support. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root. ![]() ![]() In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to, allowing the loader to read any file the host user has access to. `bhyveload -h ` may be used to grant loader access to the directory tree on the host. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |