Server-Side Request Forgery Vulnerability in Misskey's Upload from URL and Remote Attachment Handling

Server-Side Request Forgery Vulnerability in Misskey's Upload from URL and Remote Attachment Handling

CVE-2021-39195 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running.

Learn more about our Cis Benchmark Audit For Server Software.