@FloatingGhost@ihatebeinga.live modifying the source code could theoretically get you in, but yeah, without a way to recompile and reload that specific module immediately, which I feel reasonably confident in saying an attacker lacks without immediate RCE, this doesn't equal instant RCE. Same goes for modifying the BEAM file, it won't be spontaneously loaded and ran.
If this vulnerability were real, this would make the lack of disclosure even more ridiculous, since it'd be a ticking time bomb, and not a fait accompli that every instance is already compromised.
Conversation
Notices
-
Embed this notice
Evelyn fra denne andre øya (evelyn@misskey.bubbletea.dev)'s status on Tuesday, 16-Apr-2024 22:29:23 JST 
Evelyn fra denne andre øya
- Haelwenn /элвэн/ :triskell: likes this.
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 16-Apr-2024 22:40:34 JST 
Haelwenn /элвэн/ :triskell:
@evelyn @FloatingGhost Also it's trivial to mitigate at 100% with having the files being non-writable to the user running the server (in fact you probably could run it in an immutable container with database+uploads separated).
I'd guess the explaination is they were running From Source style and are reacting 1+ month later given that https://transwo.men/objects/309ea454-310b-4961-9f8f-4f93ef6a440c indicates it's already been fixed. -
Embed this notice
Erin 💽✨ (erincandescent@akko.erincandescent.net)'s status on Wednesday, 17-Apr-2024 01:25:26 JST 
Erin 💽✨
@lanodan @FloatingGhost @evelyn
> in fact you probably could run it in an immutable container with database+uploads separated
As someone running an OTP container build in k8s with DB on a separate VM and uploads to S3, intense nodding...Haelwenn /элвэн/ :triskell: likes this.
All GNU social JP content and data are available under the