CVE-2024-23649: 
Rust vulnerability analysis and mitigation

CVE-2024-23649 is a vulnerability discovered in Lemmy Server versions >=0.17.0 and <0.19.1, where any authenticated user could obtain private message details from other users on the same instance. The vulnerability was disclosed on January 24, 2024, and has been patched in version 0.19.1 (GitHub Advisory).

The vulnerability exists in the private message reporting functionality where the API endpoint '/api/v3/private_message/report' failed to validate whether the reporter was the recipient of the message. The API response when creating a report contained the 'private_message_report_view' with all the details of the report, including the private message itself. This allowed any authenticated user to iterate over message IDs to obtain all private messages of an instance. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability allows any authenticated user to obtain arbitrary private message contents from other users on the same instance. The impact is particularly severe on instances where registrations are enabled without an application system, as the privileges required are practically none. Even with registration applications required, the privilege barrier remains relatively low (GitHub Advisory).

The vulnerability has been patched in Lemmy Server version 0.19.1. For instances unable to update immediately, a workaround is available by blocking the API route in the reverse proxy. This can be implemented in nginx by adding a location block that returns a 403 error for the vulnerable endpoint. While this prevents all private message reporting functionality, it effectively blocks exploitation (GitHub Advisory).