Incorrect Ownership Assignment Affecting lemmy_server package, versions >=0.17.0 <0.19.11

Q: How to fix?

Upgrade lemmy_server to version 0.19.11 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUST-LEMMYSERVER-9749470
published18 Apr 2025
disclosed8 Apr 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 8 Apr 2025

NewCWE-708 (opens in a new tab)

How to fix?

Upgrade lemmy_server to version 0.19.11 or higher.

Overview

Affected versions of this package are vulnerable to Incorrect Ownership Assignment when selecting files for deletion as part of a user or community purge or a user ban operation. An attacker can cause the deletion of image/* content-type images belonging to users other than the ones being banned or purged. This is only exploitable without authentication if the instance has open federation. Otherwise user interaction or a privileged attacker would be needed to exploit the vulnerability.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None