Lemmy Security Advisory for Versions < `0.19.1`: Private message details leak.(github.com)

posted 11 months ago

Dessalines@lemmy.mlMD

announcements@lemmy.ml

4 commentshide report

The full description of the bug is in the linked issue above, but the short version is:

Our CreatePrivateMessageReport endpoint had a bug that would allow anyone, not just the recipient, to create a report, and then receive the details about private messages.

This allowed anyone to iterate over ids, creating thousands of reports in order to receive details about private messages.

Since those reports are visible to admins, it would be easy to discover if someone was abusing this, and luckily we haven’t heard of anyone doing so on production instances (so far).

If you haven’t, please be sure to upgrade to at least 0.19.1 for the fix.

Many thanks to @Nothing4You for finding this one.

Sort:

Hot Top Controversial New Old

[ - ]

Blaze@discuss.online

9 points

11 months ago

Isn’t that dangerous to discose the bug while the largest version is still 18.5 ? https://fedidb.org/software/lemmy/versions

permalink

report

[ - ]

Dessalines@lemmy.mlOPMD

16 points

11 months ago

Timing on publishing these is tricky. We let most server runners know about this ~a month ago now, and we’re now 2 versions past the bug.

permalink

report

parent

[ - ]

Blaze@discuss.online

6 points

11 months ago

Interesting, thanks, I didn’t know you communicated this to the admins before

permalink

report

parent

[ - ]

syd@lemy.lol

2 points

11 months ago

0.18.6 would make sense TBH.

permalink

report

parent

Announcements

!announcements@lemmy.ml

Create post

Official announcements from the Lemmy project. Subscribe to this community or add it to your RSS reader in order to be notified about new releases and important updates.

You can also find major news on join-lemmy.org

Community stats

74
Monthly active users
62
Posts
925
Comments

Community stats

Community moderators