Tesaguri

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 2024.5.0 **Description** Misskey is an open source, decentralized microblogging platform. The platform does not perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them. This allows threat actors to spoof the contents of signed activities and impersonate the authors of the original activities. **Recommendations** For versions prior to 2024.5.0, update to version 2024.5.0 to fix the vulnerability. As a temporary workaround, consider restricting the processing of incoming signed ActivityPub activity objects until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Mastodon versions prior to 4.2.7 Mastodon versions prior to 4.1.15 Mastodon versions prior to 4.0.15 Mastodon versions prior to 3.5.19 **Description** Mastodon is a free, open-source social network server based on ActivityPub. When fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type. This allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The issue allows a threat actor to impersonate an account on a remote server that satisfies certain properties: allows the attacker to register an account, accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors, and serves user-uploaded documents in response to requests with an `Accept` header value of the Activity Streams media type. **Recommendations** For versions prior to 4.2.7, update to version 4.2.7 or later. For versions prior to 4.1.15, update to version 4.1.15 or later. For versions prior to 4.0.15, update to version 4.0.15 or later. For versions prior to 3.5.19, update to version 3.5.19 or later.

**Name of the Vulnerable Software and Affected Versions** Misskey versions prior to 2024.2.0 **Description** Misskey is an open source, decentralized social media platform with ActivityPub support. The issue arises when fetching remote Activity Streams objects, as Misskey doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type. This allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Misskey instance fetch it, if the remote server accepts arbitrary user uploads. The vulnerability enables a threat actor to impersonate and take over an account on a remote server that satisfies specific properties: it allows the threat actor to register an account, accepts arbitrary user-uploaded documents and places them on the same domain as legitimate Activity Streams actors, and serves user-uploaded documents in response to requests with an `Accept` header value of the Activity Streams media type. **Recommendations** For versions prior to 2024.2.0, update to version 2024.2.0 or later, which contains a patch for the issue. As a temporary workaround, consider restricting access to remote Activity Streams objects until the update is applied. Additionally, restrict the ability for users to upload arbitrary documents to the same domain as legitimate Activity Streams actors, and ensure that user-uploaded documents are not served in response to requests with an `Accept` header value of the Activity Streams media type.