CVE-2024-23649: Any authenticated user may obtain private message details from other users on the same instance

January 24, 2024

Users can report private messages, even when they’re neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an instance. A user with instance admin privileges can also abuse this if the private message is removed from the response, as they’re able to see the resulting reports.

References

github.com/LemmyNet/lemmy
github.com/LemmyNet/lemmy/commit/bc32b408b523b9b64aa57b8e47748f96cce0dae5
github.com/LemmyNet/lemmy/security/advisories/GHSA-r64r-5h43-26qv
github.com/advisories/GHSA-r64r-5h43-26qv
nvd.nist.gov/vuln/detail/CVE-2024-23649

Detect and mitigate CVE-2024-23649 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →