Gregory's Server@thisismissem @pixelfed hmmm... maybe I can white knight this shit and be the hacker that breaks in, upgrades their instance and leaves lol. Like jailbreakme back in the day. Lol
|
8 comments
Matrix9180 :ruby: :rust:
@thisismissem @pixelfed that's good at least. Still enough access to set a global notice to everyone that their instance hasn't been upgraded and has been compromised and is still vulnerable. And urge them to pester their admins until it happens...
Anil
@thisismissem @matrix9180 @pixelfed I'm curious how the CVE score is so high without RCE possibilities? escalation of privileges is usually in the 5-6ish range
Matrix9180 :ruby: :rust:
@nil @thisismissem @pixelfed yeah, something is fishy... Critical is usually reserved for "oops all root access on the host" vulns... 
Emelia πΈπ»
@matrix9180 @nil @pixelfed that's how it was scored by GitHub score calculator. https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf
Anil
@thisismissem @matrix9180 @pixelfed huh. TIL what's in the CVE score: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator At least the base score.
Matrix9180 :ruby: :rust:
@nil @thisismissem @pixelfed yep, but I suppose it could be that high because it maybe exposes everyone's info. Going to get some rest but I'll probably see what they fixed and go from there lol
Emelia πΈπ»
@nil @matrix9180 @pixelfed so yeah, base score is 9.9 β though nist's calculator is more explanatory than GitHubs, overall score ended up being 8.4 with all the other factors |
@matrix9180 @pixelfed lucky not a vulnerability that gives you shell access as far as I know.