Vulnerabilites related to joinmastodon - mastodon
Vulnerability from fkie_nvd
Published
2022-02-02 22:15
Modified
2024-11-21 06:38
Severity ?
Summary
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/d06da292-7716-4d74-a129-dd04773398d7 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/d06da292-7716-4d74-a129-dd04773398d7 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE8A3A6B-1119-4E7E-BF20-329B7DB64588",
"versionEndExcluding": "3.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0."
},
{
"lang": "es",
"value": "Una Contaminaci\u00f3n de Prototipo en el repositorio GitHub mastodon/mastodon versiones anteriores a 3.5.0"
}
],
"id": "CVE-2022-0432",
"lastModified": "2024-11-21T06:38:36.943",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-02T22:15:07.503",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/d06da292-7716-4d74-a129-dd04773398d7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/d06da292-7716-4d74-a129-dd04773398d7"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-06 19:15
Modified
2024-11-21 08:09
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDD53D86-018D-4C06-94B3-36E2FDE03963",
"versionEndExcluding": "3.5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51150E6A-F99E-4905-A464-2BAC2B1C36C3",
"versionEndExcluding": "4.0.5",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8AB4CC5C-A9AE-4CD1-8912-B570E2F6E170",
"versionEndExcluding": "4.1.3",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"id": "CVE-2023-36461",
"lastModified": "2024-11-21T08:09:45.617",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-06T19:15:10.880",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-08-06 00:15
Modified
2025-08-26 13:57
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB393D73-9059-4048-94D4-19C0A2745DF4",
"versionEndExcluding": "4.2.24",
"versionStartIncluding": "3.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D17CA7B4-059D-4529-9ECA-44038C156693",
"versionEndExcluding": "4.3.11",
"versionStartIncluding": "4.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7D822E7-0994-4D10-8219-F1253026CC0C",
"versionEndExcluding": "4.4.3",
"versionStartIncluding": "4.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon\u0027s rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3."
},
{
"lang": "es",
"value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub Mastodon, que facilita la configuraci\u00f3n LDAP para la autenticaci\u00f3n. En las versiones 3.1.5 a 4.2.24, 4.3.0 a 4.3.11 y 4.4.0 a 4.4.3, el sistema de limitaci\u00f3n de velocidad de Mastodon presenta un error cr\u00edtico de configuraci\u00f3n: la limitaci\u00f3n basada en correo electr\u00f3nico para los correos de confirmaci\u00f3n verifica incorrectamente la ruta de restablecimiento de contrase\u00f1a en lugar de la de confirmaci\u00f3n, lo que desactiva los l\u00edmites por correo electr\u00f3nico para las solicitudes de confirmaci\u00f3n. Esto permite a los atacantes eludir las limitaciones de velocidad rotando las direcciones IP y enviar correos de confirmaci\u00f3n ilimitados a cualquier direcci\u00f3n, ya que solo permanece activa una limitaci\u00f3n d\u00e9bil basada en IP (25 solicitudes cada 5 minutos). Esta vulnerabilidad permite ataques de denegaci\u00f3n de servicio que pueden saturar las colas de correo y facilitar el acoso a los usuarios mediante correos de confirmaci\u00f3n no deseados. Esto se ha corregido en las versiones 4.2.24, 4.3.11 y 4.4.3."
}
],
"id": "CVE-2025-54879",
"lastModified": "2025-08-26T13:57:17.110",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-08-06T00:15:31.880",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-19 16:15
Modified
2024-11-21 08:22
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the “Translate” button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | 4.2.0 | |
| joinmastodon | mastodon | 4.2.0 | |
| joinmastodon | mastodon | 4.2.0 | |
| joinmastodon | mastodon | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98C89C5A-7235-4260-8656-CA90DB36CC96",
"versionEndExcluding": "4.0.10",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E58F736C-6245-4EF4-AE4D-FB6AA20F0D7B",
"versionEndExcluding": "4.1.8",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "D76FF8DD-B11D-4119-9B4E-32CE8365A25B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "19DC8A22-E8EF-4FAB-B60E-64FE54AE0968",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "1406EB6A-186B-4A9C-95F6-5EC509867C3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "089015EE-D7E4-4370-B1ED-52283B06FF0A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon\u0027s strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the \u201cTranslate\u201d button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue."
},
{
"lang": "es",
"value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. En las versiones de la rama 4.x anteriores a las versiones 4.0.10, 4.2.8 y 4.2.0-rc2, bajo ciertas condiciones, los atacantes pueden abusar de la funci\u00f3n de traducci\u00f3n para evitar la sanitizaci\u00f3n de HTML del lado del servidor, permitiendo que se ejecute HTML sin escape en el navegador. El impacto es limitado gracias a la estricta Pol\u00edtica de Seguridad de Contenido de Mastodon, el bloqueo de scripts en l\u00ednea, etc. Sin embargo, se podr\u00eda aprovechar una omisi\u00f3n o laguna del CSP para ejecutar XSS malicioso. Adem\u00e1s, requiere la interacci\u00f3n del usuario, ya que esto s\u00f3lo puede ocurrir al hacer clic en el bot\u00f3n \"Traducir\" en una publicaci\u00f3n maliciosa. Las versiones 4.0.10, 4.2.8 y 4.2.0-rc2 contienen un parche para este problema."
}
],
"id": "CVE-2023-42452",
"lastModified": "2024-11-21T08:22:33.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-19T16:15:13.630",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-19 16:15
Modified
2024-12-18 22:39
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8812D4F-2BE3-47EF-8184-1A59A8BD0345",
"versionEndExcluding": "3.5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0AEC8DE8-51AD-4C44-AF70-A2ABE8FD49AD",
"versionEndExcluding": "4.0.15",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0CBB8738-9E7D-4DAE-8E6F-5D8F51363B94",
"versionEndExcluding": "4.1.15",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "00EE36CA-1391-4052-9CCB-7A087F06A51E",
"versionEndExcluding": "4.2.7",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn\u0027t check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue."
},
{
"lang": "es",
"value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. Antes de las versiones 4.2.7, 4.1.15, 4.0.15 y 3.5.19, al recuperar estados remotos, Mastodon no verifica que la respuesta del servidor remoto tenga un valor de encabezado \"Tipo de contenido\" de los flujos de actividad. tipo de medio, que permite a un actor de amenazas cargar un documento de Activity Streams manipulado a un servidor remoto y hacer que un servidor Mastodon lo recupere, si el servidor remoto acepta cargas arbitrarias de usuarios. La vulnerabilidad permite a un actor de amenazas hacerse pasar por una cuenta en un servidor remoto que cumple con todas las siguientes propiedades: permite al atacante registrar una cuenta; acepta documentos arbitrarios subidos por usuarios y los coloca en el mismo dominio que los actores de ActivityPub; y proporciona documentos subidos por el usuario en respuesta a solicitudes con un valor de encabezado \"Aceptar\" del tipo de medio Activity Streams. Las versiones 4.2.7, 4.1.15, 4.0.15 y 3.5.19 contienen una soluci\u00f3n para este problema."
}
],
"id": "CVE-2024-25623",
"lastModified": "2024-12-18T22:39:17.437",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-19T16:15:51.847",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-27 17:15
Modified
2025-06-24 15:59
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53633344-6503-4CB1-A5AD-3398E3819069",
"versionEndExcluding": "4.2.16",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "97C4389D-7EB8-4E02-8DC8-DA1E39429AE9",
"versionEndExcluding": "4.3.4",
"versionStartIncluding": "4.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue."
},
{
"lang": "es",
"value": "Mastodon es una plataforma de microblogging federada y alojada por el usuario. A partir de la versi\u00f3n 4.2.0 y antes de las versiones 4.2.16 y 4.3.4, faltan los l\u00edmites de velocidad en `/auth/setup`. Sin esos l\u00edmites de velocidad, un atacante puede crear solicitudes que env\u00eden un correo electr\u00f3nico a direcciones arbitrarias. Las versiones 4.2.16 y 4.3.4 solucionan el problema."
}
],
"id": "CVE-2025-27157",
"lastModified": "2025-06-24T15:59:59.633",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-27T17:15:16.867",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-22 15:15
Modified
2024-11-21 04:02
Severity ?
Summary
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/tootsuite/mastodon/pull/9329 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/tootsuite/mastodon/pull/9381 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/tootsuite/mastodon/releases/tag/v2.6.2 | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://github.com/tootsuite/mastodon/releases/tag/v2.6.3 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tootsuite/mastodon/pull/9329 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tootsuite/mastodon/pull/9381 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tootsuite/mastodon/releases/tag/v2.6.2 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tootsuite/mastodon/releases/tag/v2.6.3 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "481AECA4-0684-48D4-88AE-332AF770F9A3",
"versionEndExcluding": "2.6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions."
},
{
"lang": "es",
"value": "Mastodon versiones anteriores a 2.6.3, maneja inapropiadamente los tiempos de espera de sesiones establecidas de manera incompleta."
}
],
"id": "CVE-2018-21018",
"lastModified": "2024-11-21T04:02:42.320",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-22T15:15:13.657",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tootsuite/mastodon/pull/9329"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tootsuite/mastodon/pull/9381"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tootsuite/mastodon/pull/9329"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/tootsuite/mastodon/pull/9381"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-18 18:15
Modified
2025-05-07 13:38
Severity ?
Summary
Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C0687147-6DBD-4D73-8FF2-637052901A30",
"versionEndExcluding": "4.1.17",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C38D0CDF-8850-46CC-A988-643D9242A4E1",
"versionEndExcluding": "4.2.9",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header."
},
{
"lang": "es",
"value": "Mastodon 4.1.x anterior a 4.1.17 y 4.2.x anterior a 4.2.9 permiten eludir la limitaci\u00f3n de velocidad a trav\u00e9s de un encabezado de solicitud HTTP manipulado espec\u00edficamente."
}
],
"id": "CVE-2023-49952",
"lastModified": "2025-05-07T13:38:59.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-11-18T18:15:05.927",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/mastodon/mastodon/security"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-c2r5-cfqr-c553"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-16 01:15
Modified
2024-11-21 07:00
Severity ?
Summary
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/mastodon/mastodon/commit/21fd25a269cca742af431f0d13299e139f267346 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/2f96f990-01c2-44ea-ae47-58bdb3aa455b | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mastodon/mastodon/commit/21fd25a269cca742af431f0d13299e139f267346 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/2f96f990-01c2-44ea-ae47-58bdb3aa455b | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | 4.0.0 | |
| joinmastodon | mastodon | 4.0.0 | |
| joinmastodon | mastodon | 4.0.0 | |
| joinmastodon | mastodon | 4.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "85BCFF41-D32D-42D5-B3E9-8250AD734726",
"versionEndIncluding": "3.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "6CBADF66-97E4-48A9-96EA-F21A04A4D54C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "BB020E7B-7D3B-4634-AC4C-FE83EC0F47BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "4E693E74-B6E4-498E-9488-5195C1CD42B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.0.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "58CD5DAE-0675-4BBD-9ED0-045CBC91AF9B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0."
},
{
"lang": "es",
"value": "Restricci\u00f3n Inadecuada de Intentos de Autenticaci\u00f3n Excesivos en el repositorio de GitHub mastodon/mastodon anterior a 4.0.0."
}
],
"id": "CVE-2022-2166",
"lastModified": "2024-11-21T07:00:27.670",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-16T01:15:10.207",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/commit/21fd25a269cca742af431f0d13299e139f267346"
},
{
"source": "security@huntr.dev",
"tags": [
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/2f96f990-01c2-44ea-ae47-58bdb3aa455b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/commit/21fd25a269cca742af431f0d13299e139f267346"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/2f96f990-01c2-44ea-ae47-58bdb3aa455b"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-06 19:15
Modified
2024-11-21 08:09
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7641D969-D695-41AF-B533-1847CAE25B35",
"versionEndExcluding": "3.5.9",
"versionStartIncluding": "3.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51150E6A-F99E-4905-A464-2BAC2B1C36C3",
"versionEndExcluding": "4.0.5",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8AB4CC5C-A9AE-4CD1-8912-B570E2F6E170",
"versionEndExcluding": "4.1.3",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon\u0027s media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"id": "CVE-2023-36460",
"lastModified": "2024-11-21T08:09:45.497",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-06T19:15:10.807",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-06 20:15
Modified
2024-11-21 08:09
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC672F42-16DF-4EBA-9FC4-214B6405501A",
"versionEndExcluding": "3.5.9",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51150E6A-F99E-4905-A464-2BAC2B1C36C3",
"versionEndExcluding": "4.0.5",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8AB4CC5C-A9AE-4CD1-8912-B570E2F6E170",
"versionEndExcluding": "4.1.3",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"id": "CVE-2023-36462",
"lastModified": "2024-11-21T08:09:45.740",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-06T20:15:09.423",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-06 19:15
Modified
2024-11-21 08:09
Severity ?
9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B812C873-88F0-4897-B42C-A67FA6EBB394",
"versionEndExcluding": "3.5.9",
"versionStartIncluding": "1.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51150E6A-F99E-4905-A464-2BAC2B1C36C3",
"versionEndExcluding": "4.0.5",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8AB4CC5C-A9AE-4CD1-8912-B570E2F6E170",
"versionEndExcluding": "4.1.3",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user\u0027s browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"id": "CVE-2023-36459",
"lastModified": "2024-11-21T08:09:45.380",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-06T19:15:10.727",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-19 16:15
Modified
2024-11-21 08:22
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | 4.2.0 | |
| joinmastodon | mastodon | 4.2.0 | |
| joinmastodon | mastodon | 4.2.0 | |
| joinmastodon | mastodon | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73BDE2AA-8259-4C76-B344-BFD5512C4958",
"versionEndExcluding": "3.5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98C89C5A-7235-4260-8656-CA90DB36CC96",
"versionEndExcluding": "4.0.10",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E58F736C-6245-4EF4-AE4D-FB6AA20F0D7B",
"versionEndExcluding": "4.1.8",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "D76FF8DD-B11D-4119-9B4E-32CE8365A25B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "19DC8A22-E8EF-4FAB-B60E-64FE54AE0968",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "1406EB6A-186B-4A9C-95F6-5EC509867C3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "089015EE-D7E4-4370-B1ED-52283B06FF0A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue."
},
{
"lang": "es",
"value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. Antes de las versiones 3.5.14, 4.0.10, 4.1.8 y 4.2.0-rc2, bajo ciertas circunstancias, los atacantes pueden explotar una falla en la normalizaci\u00f3n de nombres de dominio para falsificar dominios que no son de su propiedad. Las versiones 3.5.14, 4.0.10, 4.1.8 y 4.2.0-rc2 contienen un parche para este problema."
}
],
"id": "CVE-2023-42451",
"lastModified": "2024-11-21T08:22:33.560",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-19T16:15:13.303",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-706"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-03 18:15
Modified
2025-05-06 18:30
Severity ?
Summary
In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mastodon/mastodon/security/advisories/GHSA-q3rg-xx5v-4mxh | Third Party Advisory | |
| cve@mitre.org | https://github.com/mastodon/mastodon/tags | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E0B49C2-250A-4A5E-AEB1-54C103602E0A",
"versionEndIncluding": "4.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7B713D44-3FB7-48E5-959A-63E4B4EF5159",
"versionEndIncluding": "4.2.8",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header."
},
{
"lang": "es",
"value": "En Mastodon 4.1.6, la limitaci\u00f3n de velocidad del endpoint de la API se puede evitar configurando un encabezado de solicitud HTTP manipulado espec\u00edficamente."
}
],
"id": "CVE-2024-34535",
"lastModified": "2025-05-06T18:30:39.783",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 4.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-10-03T18:15:04.693",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-q3rg-xx5v-4mxh"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/tags"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-24 04:15
Modified
2024-11-21 07:04
Severity ?
Summary
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mastodon/mastodon/pull/17909 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/mastodon/mastodon/releases/tag/v3.5.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mastodon/mastodon/pull/17909 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mastodon/mastodon/releases/tag/v3.5.0 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE8A3A6B-1119-4E7E-BF20-329B7DB64588",
"versionEndExcluding": "3.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions."
},
{
"lang": "es",
"value": "El archivo app/models/user.rb en Mastodon versiones anteriores a 3.5.0 permite omitir las restricciones de correo electr\u00f3nico"
}
],
"id": "CVE-2022-31263",
"lastModified": "2024-11-21T07:04:15.190",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-24T04:15:08.367",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/pull/17909"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/pull/17909"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-04 22:15
Modified
2024-11-21 07:56
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7719057A-5D61-40B5-9F17-BAE36C43C90A",
"versionEndExcluding": "3.5.8",
"versionStartIncluding": "2.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EAB7A197-9D83-4A92-BF6C-A9DBA50E1DDA",
"versionEndExcluding": "4.0.4",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3BC1F07-C0F6-42E6-B967-F1A536F84767",
"versionEndExcluding": "4.1.2",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2."
}
],
"id": "CVE-2023-28853",
"lastModified": "2024-11-21T07:56:09.700",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-04T22:15:08.087",
"references": [
{
"source": "security-advisories@github.com",
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/pull/24379"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/pull/24379"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-90"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-14 21:15
Modified
2024-12-18 22:27
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE8476E0-8645-43D4-9003-53CC67A2A8C6",
"versionEndExcluding": "3.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9ADD4C15-271F-4A6F-93D2-18CC1DF95CB2",
"versionEndExcluding": "4.0.14",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7803D303-8650-422E-B97C-909672BD39F3",
"versionEndExcluding": "4.1.14",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF9BDF83-C1FF-4F9E-9B3B-796198DEDDC3",
"versionEndExcluding": "4.2.6",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. Mastodon permite que nuevas identidades de proveedores de autenticaci\u00f3n configurados (CAS, SAML, OIDC) se adjunten a usuarios locales existentes con la misma direcci\u00f3n de correo electr\u00f3nico. Esto da como resultado una posible apropiaci\u00f3n de la cuenta si el proveedor de autenticaci\u00f3n permite cambiar la direcci\u00f3n de correo electr\u00f3nico o si se configuran varios proveedores de autenticaci\u00f3n. Cuando un usuario inicia sesi\u00f3n a trav\u00e9s de un proveedor de autenticaci\u00f3n externo por primera vez, Mastodon verifica la direcci\u00f3n de correo electr\u00f3nico transmitida por el proveedor para encontrar una cuenta existente. Sin embargo, usar solo la direcci\u00f3n de correo electr\u00f3nico significa que si el proveedor de autenticaci\u00f3n permite cambiar la direcci\u00f3n de correo electr\u00f3nico de una cuenta, la cuenta de Mastodon puede ser secuestrada inmediatamente. Todos los usuarios que inician sesi\u00f3n a trav\u00e9s de proveedores de autenticaci\u00f3n externos se ven afectados. La gravedad es media, ya que tambi\u00e9n requiere que el proveedor de autenticaci\u00f3n externo se comporte mal. Sin embargo, algunos proveedores de OIDC conocidos (como Microsoft Azure) hacen que sea muy f\u00e1cil permitir accidentalmente cambios de correo electr\u00f3nico no verificados. Adem\u00e1s, OpenID Connect tambi\u00e9n permite el registro din\u00e1mico de clientes. Este problema se solucion\u00f3 en las versiones 4.2.6, 4.1.14, 4.0.14 y 3.5.18. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-25618",
"lastModified": "2024-12-18T22:27:39.050",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-14T21:15:08.410",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-06 14:15
Modified
2025-03-06 20:15
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E79C1BF6-625F-43A1-BA73-2F4C4E261387",
"versionEndExcluding": "3.5.3",
"versionStartIncluding": "3.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server\u0027s representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive."
}
],
"id": "CVE-2022-48364",
"lastModified": "2025-03-06T20:15:36.740",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-03-06T14:15:09.463",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/40826d/advisories/blob/master/CVE-2022-48364/README.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/blob/main/CHANGELOG.md#353---2022-05-26"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Product"
],
"url": "https://github.com/mastodon/mastodon/compare/v3.5.2...v3.5.3"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/pull/18525"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/40826d/advisories/blob/master/CVE-2022-48364/README.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/blob/main/CHANGELOG.md#353---2022-05-26"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Product"
],
"url": "https://github.com/mastodon/mastodon/compare/v3.5.2...v3.5.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/pull/18525"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-14 21:15
Modified
2024-12-18 22:22
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn't actually fire, since `delete_all` doesn't trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application's Access Tokens are being "killed". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE8476E0-8645-43D4-9003-53CC67A2A8C6",
"versionEndExcluding": "3.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9ADD4C15-271F-4A6F-93D2-18CC1DF95CB2",
"versionEndExcluding": "4.0.14",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7803D303-8650-422E-B97C-909672BD39F3",
"versionEndExcluding": "4.1.14",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF9BDF83-C1FF-4F9E-9B3B-796198DEDDC3",
"versionEndExcluding": "4.2.6",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn\u0027t being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn\u0027t actually fire, since `delete_all` doesn\u0027t trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application\u0027s Access Tokens are being \"killed\". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability."
},
{
"lang": "es",
"value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. Cuando se destruye una aplicaci\u00f3n OAuth, no se informaba al servidor de transmisi\u00f3n que los tokens de acceso tambi\u00e9n se hab\u00edan destruido, lo que podr\u00eda haber planteado riesgos de seguridad para los usuarios al permitir que una aplicaci\u00f3n continuara escuchando la transmisi\u00f3n despu\u00e9s de que la aplicaci\u00f3n hubiera sido destruida. Esencialmente, esto se reduce al hecho de que cuando Doorkeeper configura la relaci\u00f3n entre las aplicaciones y los tokens de acceso, utiliza una configuraci\u00f3n `dependent: delete_all`, lo que significa que la configuraci\u00f3n de devoluci\u00f3n de llamada `after_commit` en `AccessTokenExtension` en realidad no se activ\u00f3, ya que ` delete_all` no activa devoluciones de llamada de ActiveRecord. Para mitigar, necesitamos agregar una devoluci\u00f3n de llamada `before_destroy` a `ApplicationExtension` que anuncia a la transmisi\u00f3n que todos los tokens de acceso de la aplicaci\u00f3n est\u00e1n siendo \"eliminados\". El impacto deber\u00eda ser insignificante dado que la aplicaci\u00f3n afectada ten\u00eda que ser propiedad del usuario. No obstante, este problema se ha solucionado en las versiones 4.2.6, 4.1.14, 4.0.14 y 3.5.18. Se recomienda a los usuarios que actualicen. No se conocen workaround para esta vulnerabilidad."
}
],
"id": "CVE-2024-25619",
"lastModified": "2024-12-18T22:22:01.737",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-14T21:15:08.620",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
},
{
"lang": "en",
"value": "CWE-672"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-613"
},
{
"lang": "en",
"value": "CWE-672"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-19 16:15
Modified
2024-11-21 08:22
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | 4.2.0 | |
| joinmastodon | mastodon | 4.2.0 | |
| joinmastodon | mastodon | 4.2.0 | |
| joinmastodon | mastodon | 4.2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "D76FF8DD-B11D-4119-9B4E-32CE8365A25B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "19DC8A22-E8EF-4FAB-B60E-64FE54AE0968",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "1406EB6A-186B-4A9C-95F6-5EC509867C3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "089015EE-D7E4-4370-B1ED-52283B06FF0A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue."
},
{
"lang": "es",
"value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. A partir de la versi\u00f3n 4.2.0-beta1 y antes de la versi\u00f3n 4.2.0-rc2, al crear entradas espec\u00edficas, los atacantes pueden inyectar datos arbitrarios en las solicitudes HTTP emitidas por Mastodon. Esto se puede utilizar para realizar ataques adjuntos confusos si la configuraci\u00f3n del servidor incluye `ALLOWED_PRIVATE_ADDRESSES` para permitir el acceso a servicios locales explotables. La versi\u00f3n 4.2.0-rc2 tiene un parche para el problema."
}
],
"id": "CVE-2023-42450",
"lastModified": "2024-11-21T08:22:33.413",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-19T16:15:12.897",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-113"
},
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-05 18:15
Modified
2025-06-24 16:04
Severity ?
Summary
Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "789AD464-8653-4C01-B623-144CC9968130",
"versionEndExcluding": "4.1.18",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17D6FFBE-0FB9-4AFB-B93A-F8B063B52A1A",
"versionEndExcluding": "4.2.10",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue."
},
{
"lang": "es",
"value": " Mastodon es una plataforma de microblogging federada y autohospedada. A partir de la versi\u00f3n 2.6.0 y antes de las versiones 4.1.18 y 4.2.10, al crear actividades espec\u00edficas, un atacante puede ampliar la audiencia de una publicaci\u00f3n que no es de su propiedad a otros usuarios de Mastodon en un servidor de destino, obteniendo as\u00ed acceso al contenido de una publicaci\u00f3n no destinada a ellos. Las versiones 4.1.18 y 4.2.10 contienen un parche para este problema."
}
],
"id": "CVE-2024-37903",
"lastModified": "2025-06-24T16:04:05.977",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-07-05T18:15:32.093",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-04 04:15
Modified
2025-04-24 16:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://borg.social/notes/98bcoo2t1n | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://hackmd.io/rD9nsTz1QeuPT-erxqjY-A | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://borg.social/notes/98bcoo2t1n | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackmd.io/rD9nsTz1QeuPT-erxqjY-A | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11AE4FBF-5DF3-49F0-AAF4-6EB04F94C222",
"versionEndIncluding": "4.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages."
},
{
"lang": "es",
"value": "Mastodon hasta 4.0.2 permite a los atacantes provocar una Denegaci\u00f3n de Servicio (DoS) (gran cola de extracci\u00f3n de Sidekiq) mediante la creaci\u00f3n de cuentas de bot que siguen cuentas controladas por el atacante en ciertos otros servidores asociados con un registro DNS A comod\u00edn, de modo que existe una recursi\u00f3n incontrolada de mensajes generados por el atacante."
}
],
"id": "CVE-2022-46405",
"lastModified": "2025-04-24T16:15:24.133",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-12-04T04:15:09.380",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://borg.social/notes/98bcoo2t1n"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://hackmd.io/rD9nsTz1QeuPT-erxqjY-A"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://borg.social/notes/98bcoo2t1n"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://hackmd.io/rD9nsTz1QeuPT-erxqjY-A"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-27 18:15
Modified
2025-06-24 15:59
Severity ?
Summary
Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CFE3B6D-AA01-4B5F-BFDA-D206A457D55F",
"versionEndExcluding": "4.1.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53633344-6503-4CB1-A5AD-3398E3819069",
"versionEndExcluding": "4.2.16",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "97C4389D-7EB8-4E02-8DC8-DA1E39429AE9",
"versionEndExcluding": "4.3.4",
"versionStartIncluding": "4.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to \"users\" (localized English string: \"To logged-in users\"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue."
},
{
"lang": "es",
"value": "Mastodon es una plataforma de microblogging federada y alojada por el usuario. En versiones anteriores a 4.1.23, 4.2.16 y 4.3.4, cuando la visibilidad de los bloqueos/razones de dominio est\u00e1 configurada en \"usuarios\" (cadena localizada en ingl\u00e9s: \"To logged-in users\"), los usuarios que a\u00fan no hayan sido aprobados pueden ver los motivos de bloqueo. Los administradores de instancias que no desean que sus bloqueos de dominio sean p\u00fablicos se ven afectados. Las versiones 4.1.23, 4.2.16 y 4.3.4 solucionan el problema.\n"
}
],
"id": "CVE-2025-27399",
"lastModified": "2025-06-24T15:59:22.870",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-02-27T18:15:30.380",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L33-L35"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L49-L51"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/6b519cfefa93a923b19d0f20c292c7185f8fd5f5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-94h4-fj37-c825"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-01 17:15
Modified
2024-11-21 08:58
Severity ?
9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D78571-45F8-4E22-80CB-67190F74AEDA",
"versionEndExcluding": "3.5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4FE237D-083C-4D44-BEFC-AFE77F1A9B94",
"versionEndExcluding": "4.0.13",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80BD3026-2541-470E-85F2-61ACFD318C9C",
"versionEndExcluding": "4.1.13",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CC484C16-EA4D-48EC-A03D-1D8DCB89AAB8",
"versionEndExcluding": "4.2.5",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5."
},
{
"lang": "es",
"value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. Mastodon permite la configuraci\u00f3n de LDAP para la autenticaci\u00f3n. Debido a una validaci\u00f3n de origen insuficiente en todos los Mastodon, los atacantes pueden hacerse pasar por cualquier cuenta remota y apoderarse de ella. Todas las versiones de Mastodon anteriores a la 3.5.17 son vulnerables, as\u00ed como las versiones 4.0.x anteriores a la 4.0.13, la versi\u00f3n 4.1.x anteriores a la 4.1.13 y las versiones 4.2.x anteriores a la 4.2.5."
}
],
"id": "CVE-2024-23832",
"lastModified": "2024-11-21T08:58:31.150",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-01T17:15:10.677",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-03 20:15
Modified
2024-11-21 06:50
Severity ?
Summary
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mastodon/mastodon/releases/tag/v3.3.2 | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://github.com/mastodon/mastodon/releases/tag/v3.4.6 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mastodon/mastodon/releases/tag/v3.3.2 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mastodon/mastodon/releases/tag/v3.4.6 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| joinmastodon | mastodon | * | |
| joinmastodon | mastodon | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "514008A3-F4EB-4CE5-A725-0D68436A3D49",
"versionEndExcluding": "3.3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E44CBEBF-065A-43C6-AD3E-4822DF5D62D6",
"versionEndExcluding": "3.4.6",
"versionStartIncluding": "3.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)"
},
{
"lang": "es",
"value": "Mastodon versiones anteriores a 3.3.2 y versiones 3.4.x anteriores a 3.4.6, presenta un control de acceso incorrecto porque no compacta las actividades JSON-LD firmadas entrantes. (La firma de JSON-LD ha sido soportada desde la versi\u00f3n 1.6.0.)"
}
],
"id": "CVE-2022-24307",
"lastModified": "2024-11-21T06:50:08.400",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-03T20:15:07.817",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.3.2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.4.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.3.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.4.6"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-25623 (GCVE-0-2024-25623)
Vulnerability from cvelistv5
Published
2024-02-19 15:28
Modified
2024-08-01 23:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T18:34:37.609043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:47.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36"
},
{
"name": "https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.19"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.15"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.15"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn\u0027t check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-19T15:28:15.296Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36"
},
{
"name": "https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022"
}
],
"source": {
"advisory": "GHSA-jhrq-qvrm-qr36",
"discovery": "UNKNOWN"
},
"title": "Lack of media type verification of Activity Streams objects allows impersonation of remote accounts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25623",
"datePublished": "2024-02-19T15:28:15.296Z",
"dateReserved": "2024-02-08T22:26:33.511Z",
"dateUpdated": "2024-08-01T23:44:09.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36461 (GCVE-0-2023-36461)
Vulnerability from cvelistv5
Published
2023-07-06 18:57
Modified
2025-02-13 16:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v3.5.9 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.0.5 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.1.3 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2023/07/06/7 |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:56.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc"
},
{
"name": "https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T17:55:51.203349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T17:56:02.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.9"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T19:00:13.408Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc"
},
{
"name": "https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/7"
}
],
"source": {
"advisory": "GHSA-9pxv-6qvf-pjwc",
"discovery": "UNKNOWN"
},
"title": "Mastodon vulnerable to Denial of Service through slow HTTP responses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36461",
"datePublished": "2023-07-06T18:57:59.160Z",
"dateReserved": "2023-06-21T18:50:41.699Z",
"dateUpdated": "2025-02-13T16:56:18.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27157 (GCVE-0-2025-27157)
Vulnerability from cvelistv5
Published
2025-02-27 17:12
Modified
2025-02-27 18:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27157",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:04:56.696227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:10:00.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.16"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a self-hosted, federated microblogging platform. Starting in version 4.2.0 and prior to versions 4.2.16 and 4.3.4, the rate limits are missing on `/auth/setup`. Without those rate limits, an attacker can craft requests that will send an email to an arbitrary addresses. Versions 4.2.16 and 4.3.4 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T17:12:39.043Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v39f-c9jj-8w7h"
},
{
"name": "https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/06f879ce9bea195344ac9f71e6799eea500628ec"
}
],
"source": {
"advisory": "GHSA-v39f-c9jj-8w7h",
"discovery": "UNKNOWN"
},
"title": "Mastodon\u0027s rate-limits are missing on `/auth/setup`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27157",
"datePublished": "2025-02-27T17:12:39.043Z",
"dateReserved": "2025-02-19T16:30:47.780Z",
"dateUpdated": "2025-02-27T18:10:00.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42452 (GCVE-0-2023-42452)
Vulnerability from cvelistv5
Published
2023-09-19 15:58
Modified
2024-09-24 18:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the “Translate” button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:38.536Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr"
},
{
"name": "https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T18:00:36.912577Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T18:11:03.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.10"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.8"
},
{
"status": "affected",
"version": "\u003e= 4.2.0-beta1, \u003c 4.2.0-rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon\u0027s strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the \u201cTranslate\u201d button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-19T15:58:44.559Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr"
},
{
"name": "https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2"
}
],
"source": {
"advisory": "GHSA-2693-xr3m-jhqr",
"discovery": "UNKNOWN"
},
"title": "Mastodon vulnerable to Stored XSS through the translation feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42452",
"datePublished": "2023-09-19T15:58:44.559Z",
"dateReserved": "2023-09-08T20:57:45.573Z",
"dateUpdated": "2024-09-24T18:11:03.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36460 (GCVE-0-2023-36460)
Vulnerability from cvelistv5
Published
2023-07-06 18:39
Modified
2025-02-13 16:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v3.5.9 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.0.5 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.1.3 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2023/07/06/4 |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:56.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm"
},
{
"name": "https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-18T20:44:12.220464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T20:44:22.004Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.5.0, \u003c 3.5.9"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon\u0027s media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T19:00:11.834Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm"
},
{
"name": "https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/4"
}
],
"source": {
"advisory": "GHSA-9928-3cp5-93fm",
"discovery": "UNKNOWN"
},
"title": "Mastodon vulnerable to arbitrary file creation through media attachments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36460",
"datePublished": "2023-07-06T18:39:09.825Z",
"dateReserved": "2023-06-21T18:50:41.699Z",
"dateUpdated": "2025-02-13T16:56:17.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37903 (GCVE-0-2024-37903)
Vulnerability from cvelistv5
Published
2024-07-05 17:24
Modified
2024-08-02 04:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.1.18 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.2.10 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joinmastodon:mastodon:2.6.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mastodon",
"vendor": "joinmastodon",
"versions": [
{
"lessThan": "4.1.18",
"status": "affected",
"version": "2.6.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:joinmastodon:mastodon:4.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mastodon",
"vendor": "joinmastodon",
"versions": [
{
"lessThan": "4.2.10",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T19:04:59.386414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T19:17:25.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:04:23.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 4.1.18"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:24:49.213Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10"
}
],
"source": {
"advisory": "GHSA-xjvf-fm67-4qc3",
"discovery": "UNKNOWN"
},
"title": "Mastodon has improper authorship check on audience extension for existing posts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37903",
"datePublished": "2024-07-05T17:24:49.213Z",
"dateReserved": "2024-06-10T19:54:41.362Z",
"dateUpdated": "2024-08-02T04:04:23.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28853 (GCVE-0-2023-28853)
Vulnerability from cvelistv5
Published
2023-04-04 21:14
Modified
2025-02-13 16:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Summary
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:38.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"
},
{
"name": "https://github.com/mastodon/mastodon/pull/24379",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/pull/24379"
},
{
"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"
},
{
"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28853",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T21:30:26.368909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T21:30:30.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 3.5.8"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.4"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T23:06:12.881Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"
},
{
"name": "https://github.com/mastodon/mastodon/pull/24379",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/pull/24379"
},
{
"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"
},
{
"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"
}
],
"source": {
"advisory": "GHSA-38g9-pfm9-gfqv",
"discovery": "UNKNOWN"
},
"title": "Mastodon\u0027s blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28853",
"datePublished": "2023-04-04T21:14:53.350Z",
"dateReserved": "2023-03-24T16:25:34.467Z",
"dateUpdated": "2025-02-13T16:48:56.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25619 (GCVE-0-2024-25619)
Vulnerability from cvelistv5
Published
2024-02-14 20:50
Modified
2024-08-01 23:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn't actually fire, since `delete_all` doesn't trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application's Access Tokens are being "killed". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25619",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-15T20:06:57.515329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:34:59.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x"
},
{
"name": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.6, \u003c 4.2.6"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.14"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.14"
},
{
"status": "affected",
"version": "\u003c 3.5.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn\u0027t being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn\u0027t actually fire, since `delete_all` doesn\u0027t trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application\u0027s Access Tokens are being \"killed\". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672: Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-14T20:50:10.809Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x"
},
{
"name": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71"
}
],
"source": {
"advisory": "GHSA-7w3c-p9j8-mq3x",
"discovery": "UNKNOWN"
},
"title": "Destroying OAuth Applications doesn\u0027t notify Streaming of Access Tokens being destroyed in mastodon"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25619",
"datePublished": "2024-02-14T20:50:10.809Z",
"dateReserved": "2024-02-08T22:26:33.511Z",
"dateUpdated": "2024-08-01T23:44:09.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36459 (GCVE-0-2023-36459)
Vulnerability from cvelistv5
Published
2023-07-06 18:29
Modified
2025-02-13 16:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v3.5.9 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.0.5 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.1.3 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2023/07/06/5 |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:57.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp"
},
{
"name": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:07:13.081530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:07:24.022Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3, \u003c 3.5.9"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user\u0027s browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T18:30:10.023Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp"
},
{
"name": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/5"
}
],
"source": {
"advisory": "GHSA-ccm4-vgcc-73hp",
"discovery": "UNKNOWN"
},
"title": "Mastodon vulnerable to Cross-site Scripting through oEmbed preview cards"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36459",
"datePublished": "2023-07-06T18:29:07.669Z",
"dateReserved": "2023-06-21T18:50:41.699Z",
"dateUpdated": "2025-02-13T16:56:17.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0432 (GCVE-0-2022-0432)
Vulnerability from cvelistv5
Published
2022-02-02 20:11
Modified
2024-08-02 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Summary
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/d06da292-7716-4d74-a129-dd04773398d7 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mastodon | mastodon/mastodon |
Version: unspecified < 3.5.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/d06da292-7716-4d74-a129-dd04773398d7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mastodon/mastodon",
"vendor": "mastodon",
"versions": [
{
"lessThan": "3.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-02T20:11:08",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/d06da292-7716-4d74-a129-dd04773398d7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09"
}
],
"source": {
"advisory": "d06da292-7716-4d74-a129-dd04773398d7",
"discovery": "EXTERNAL"
},
"title": "Prototype Pollution in mastodon/mastodon",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0432",
"STATE": "PUBLIC",
"TITLE": "Prototype Pollution in mastodon/mastodon"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mastodon/mastodon",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.5.0"
}
]
}
}
]
},
"vendor_name": "mastodon"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/d06da292-7716-4d74-a129-dd04773398d7",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/d06da292-7716-4d74-a129-dd04773398d7"
},
{
"name": "https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09",
"refsource": "MISC",
"url": "https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09"
}
]
},
"source": {
"advisory": "d06da292-7716-4d74-a129-dd04773398d7",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0432",
"datePublished": "2022-02-02T20:11:08",
"dateReserved": "2022-01-31T00:00:00",
"dateUpdated": "2024-08-02T23:25:40.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49952 (GCVE-0-2023-49952)
Vulnerability from cvelistv5
Published
2024-11-18 00:00
Modified
2024-11-19 15:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joinmastodon:mastodon:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mastodon",
"vendor": "joinmastodon",
"versions": [
{
"lessThan": "4.1.17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-49952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:31:42.564071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T15:39:43.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T17:31:38.412621",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/mastodon/mastodon/security"
},
{
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-c2r5-cfqr-c553"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-49952",
"datePublished": "2024-11-18T00:00:00",
"dateReserved": "2023-12-03T00:00:00",
"dateUpdated": "2024-11-19T15:39:43.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34535 (GCVE-0-2024-34535)
Vulnerability from cvelistv5
Published
2024-10-03 00:00
Modified
2024-11-25 18:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-34535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T19:40:08.651173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T18:01:21.080Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T17:56:04.998866",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/mastodon/mastodon/tags"
},
{
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-q3rg-xx5v-4mxh"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-34535",
"datePublished": "2024-10-03T00:00:00",
"dateReserved": "2024-05-06T00:00:00",
"dateUpdated": "2024-11-25T18:01:21.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42451 (GCVE-0-2023-42451)
Vulnerability from cvelistv5
Published
2023-09-19 15:56
Modified
2024-09-24 20:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:38.773Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667"
},
{
"name": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42451",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T20:35:55.298815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T20:36:19.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.14"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.10"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.8"
},
{
"status": "affected",
"version": "\u003e= 4.2.0-beta1, \u003c 4.2.0-rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-19T15:56:46.962Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667"
},
{
"name": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8"
}
],
"source": {
"advisory": "GHSA-v3xf-c9qf-j667",
"discovery": "UNKNOWN"
},
"title": "Mastodon Invalid Domain Name Normalization vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42451",
"datePublished": "2023-09-19T15:56:46.962Z",
"dateReserved": "2023-09-08T20:57:45.573Z",
"dateUpdated": "2024-09-24T20:36:19.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31263 (GCVE-0-2022-31263)
Vulnerability from cvelistv5
Published
2022-05-24 03:48
Modified
2024-08-03 07:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/pull/17909 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/releases/tag/v3.5.0 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/pull/17909"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-24T03:48:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/pull/17909"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31263",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mastodon/mastodon/pull/17909",
"refsource": "CONFIRM",
"url": "https://github.com/mastodon/mastodon/pull/17909"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.0",
"refsource": "CONFIRM",
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-31263",
"datePublished": "2022-05-24T03:48:25",
"dateReserved": "2022-05-21T00:00:00",
"dateUpdated": "2024-08-03T07:11:39.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-21018 (GCVE-0-2018-21018)
Vulnerability from cvelistv5
Published
2019-09-22 14:22
Modified
2024-08-05 12:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/tootsuite/mastodon/releases/tag/v2.6.2 | x_refsource_MISC | |
| https://github.com/tootsuite/mastodon/releases/tag/v2.6.3 | x_refsource_MISC | |
| https://github.com/tootsuite/mastodon/pull/9329 | x_refsource_MISC | |
| https://github.com/tootsuite/mastodon/pull/9381 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:19:27.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tootsuite/mastodon/pull/9329"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tootsuite/mastodon/pull/9381"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-22T14:22:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tootsuite/mastodon/pull/9329"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tootsuite/mastodon/pull/9381"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-21018",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.2",
"refsource": "MISC",
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.2"
},
{
"name": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.3",
"refsource": "MISC",
"url": "https://github.com/tootsuite/mastodon/releases/tag/v2.6.3"
},
{
"name": "https://github.com/tootsuite/mastodon/pull/9329",
"refsource": "MISC",
"url": "https://github.com/tootsuite/mastodon/pull/9329"
},
{
"name": "https://github.com/tootsuite/mastodon/pull/9381",
"refsource": "MISC",
"url": "https://github.com/tootsuite/mastodon/pull/9381"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-21018",
"datePublished": "2019-09-22T14:22:43",
"dateReserved": "2019-09-22T00:00:00",
"dateUpdated": "2024-08-05T12:19:27.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46405 (GCVE-0-2022-46405)
Vulnerability from cvelistv5
Published
2022-12-04 00:00
Modified
2025-04-24 15:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:31:46.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://borg.social/notes/98bcoo2t1n"
},
{
"tags": [
"x_transferred"
],
"url": "https://hackmd.io/rD9nsTz1QeuPT-erxqjY-A"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-46405",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T15:19:10.681479Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T15:19:38.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-04T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://borg.social/notes/98bcoo2t1n"
},
{
"url": "https://hackmd.io/rD9nsTz1QeuPT-erxqjY-A"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-46405",
"datePublished": "2022-12-04T00:00:00.000Z",
"dateReserved": "2022-12-04T00:00:00.000Z",
"dateUpdated": "2025-04-24T15:19:38.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-48364 (GCVE-0-2022-48364)
Vulnerability from cvelistv5
Published
2023-03-06 00:00
Modified
2025-03-06 20:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:10:59.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/pull/18525"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/compare/v3.5.2...v3.5.3"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/40826d/advisories/blob/master/CVE-2022-48364/README.md"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/blob/main/CHANGELOG.md#353---2022-05-26"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-48364",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T20:01:42.879113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T20:02:21.461Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server\u0027s representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-06T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/mastodon/mastodon/pull/18525"
},
{
"url": "https://github.com/mastodon/mastodon/compare/v3.5.2...v3.5.3"
},
{
"url": "https://github.com/40826d/advisories/blob/master/CVE-2022-48364/README.md"
},
{
"url": "https://github.com/mastodon/mastodon/blob/main/CHANGELOG.md#353---2022-05-26"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-48364",
"datePublished": "2023-03-06T00:00:00.000Z",
"dateReserved": "2023-03-05T00:00:00.000Z",
"dateUpdated": "2025-03-06T20:02:21.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25618 (GCVE-0-2024-25618)
Vulnerability from cvelistv5
Published
2024-02-14 20:45
Modified
2025-05-12 15:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25618",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T16:05:01.572129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T15:16:42.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.6"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.14"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.14"
},
{
"status": "affected",
"version": "\u003c 3.5.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-14T20:45:50.621Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15"
}
],
"source": {
"advisory": "GHSA-vm39-j3vx-pch3",
"discovery": "UNKNOWN"
},
"title": "External OpenID Connect Account Takeover by E-Mail Change in mastodon"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25618",
"datePublished": "2024-02-14T20:45:50.621Z",
"dateReserved": "2024-02-08T22:26:33.510Z",
"dateUpdated": "2025-05-12T15:16:42.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24307 (GCVE-0-2022-24307)
Vulnerability from cvelistv5
Published
2022-02-03 19:06
Modified
2024-08-03 04:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/releases/tag/v3.4.6 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/releases/tag/v3.3.2 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:07:02.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.4.6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.3.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-03T19:06:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.4.6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.3.2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-24307",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.4.6",
"refsource": "CONFIRM",
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.4.6"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.3.2",
"refsource": "CONFIRM",
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.3.2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24307",
"datePublished": "2022-02-03T19:06:54",
"dateReserved": "2022-02-02T00:00:00",
"dateUpdated": "2024-08-03T04:07:02.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23832 (GCVE-0-2024-23832)
Vulnerability from cvelistv5
Published
2024-02-01 16:18
Modified
2025-02-13 17:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-290 - Authentication Bypass by Spoofing
Summary
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:13:08.481Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw"
},
{
"name": "https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-08T15:46:05.845753Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T15:46:29.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.17"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.13"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.13"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T15:06:20.536Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw"
},
{
"name": "https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/4"
}
],
"source": {
"advisory": "GHSA-3fjr-858r-92rw",
"discovery": "UNKNOWN"
},
"title": "Mastodon Remote user impersonation and takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23832",
"datePublished": "2024-02-01T16:18:03.528Z",
"dateReserved": "2024-01-22T22:23:54.340Z",
"dateUpdated": "2025-02-13T17:39:53.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42450 (GCVE-0-2023-42450)
Vulnerability from cvelistv5
Published
2023-09-19 15:53
Modified
2025-06-18 14:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:38.545Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4"
},
{
"name": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42450",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T14:28:37.435949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T14:28:57.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0-beta1, \u003c 4.2.0-rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-25T14:32:40.787Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4"
},
{
"name": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2"
}
],
"source": {
"advisory": "GHSA-hcqf-fw2r-52g4",
"discovery": "UNKNOWN"
},
"title": "Mastodon Server-Side Request Forgery vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42450",
"datePublished": "2023-09-19T15:53:39.685Z",
"dateReserved": "2023-09-08T20:57:45.573Z",
"dateUpdated": "2025-06-18T14:28:57.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36462 (GCVE-0-2023-36462)
Vulnerability from cvelistv5
Published
2023-07-06 19:16
Modified
2024-10-24 14:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v3.5.9 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.0.5 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.1.3 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:57.097Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq"
},
{
"name": "https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T14:21:58.873405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T14:25:32.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 3.5.9"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T19:16:37.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq"
},
{
"name": "https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
}
],
"source": {
"advisory": "GHSA-55j9-c3mp-6fcq",
"discovery": "UNKNOWN"
},
"title": "Mastodon\u0027s verified profile links can be formatted in a misleading way"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36462",
"datePublished": "2023-07-06T19:16:37.617Z",
"dateReserved": "2023-06-21T18:50:41.699Z",
"dateUpdated": "2024-10-24T14:25:32.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54879 (GCVE-0-2025-54879)
Vulnerability from cvelistv5
Published
2025-08-05 23:39
Modified
2025-08-06 20:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.4.3 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54879",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T20:32:42.219873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T20:32:56.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.5, \u003c 4.2.24"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.11"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon\u0027s rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T23:39:59.130Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-84ch-6436-c7mg"
},
{
"name": "https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/e2592419d93fb41be03c2f3ff6a122fecb0e0952"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.4.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.4.3"
}
],
"source": {
"advisory": "GHSA-84ch-6436-c7mg",
"discovery": "UNKNOWN"
},
"title": "Mastodon e\u2011mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54879",
"datePublished": "2025-08-05T23:39:59.130Z",
"dateReserved": "2025-07-31T17:23:33.475Z",
"dateUpdated": "2025-08-06T20:32:56.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27399 (GCVE-0-2025-27399)
Vulnerability from cvelistv5
Published
2025-02-27 17:15
Modified
2025-02-27 17:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" (localized English string: "To logged-in users"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27399",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:59:22.587729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T17:59:31.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.23"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.16"
},
{
"status": "affected",
"version": "\u003e= 4.3.0, \u003c 4.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to \"users\" (localized English string: \"To logged-in users\"), users that are not yet approved can view the block reasons. Instance admins that do not want their domain blocks to be public are impacted. Versions 4.1.23, 4.2.16, and 4.3.4 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T17:15:05.208Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-94h4-fj37-c825",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-94h4-fj37-c825"
},
{
"name": "https://github.com/mastodon/mastodon/commit/6b519cfefa93a923b19d0f20c292c7185f8fd5f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/6b519cfefa93a923b19d0f20c292c7185f8fd5f5"
},
{
"name": "https://github.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L33-L35",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L33-L35"
},
{
"name": "https://github.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L49-L51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/blob/93f0427b8a84faf68d5d02cdf9a26f98fae16f2b/app/controllers/api/v1/instances/domain_blocks_controller.rb#L49-L51"
}
],
"source": {
"advisory": "GHSA-94h4-fj37-c825",
"discovery": "UNKNOWN"
},
"title": "Mastodon\u0027s domain blocks \u0026 rationales ignore user approval when visibility set as \"users\""
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27399",
"datePublished": "2025-02-27T17:15:05.208Z",
"dateReserved": "2025-02-24T15:51:17.267Z",
"dateUpdated": "2025-02-27T17:59:31.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2166 (GCVE-0-2022-2166)
Vulnerability from cvelistv5
Published
2022-11-16 00:00
Modified
2025-04-29 20:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Summary
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mastodon | mastodon/mastodon |
Version: unspecified < 4.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:07.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/2f96f990-01c2-44ea-ae47-58bdb3aa455b"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/21fd25a269cca742af431f0d13299e139f267346"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2166",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T20:28:47.363628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T20:30:40.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon/mastodon",
"vendor": "mastodon",
"versions": [
{
"lessThan": "4.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-16T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/2f96f990-01c2-44ea-ae47-58bdb3aa455b"
},
{
"url": "https://github.com/mastodon/mastodon/commit/21fd25a269cca742af431f0d13299e139f267346"
}
],
"source": {
"advisory": "2f96f990-01c2-44ea-ae47-58bdb3aa455b",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of Excessive Authentication Attempts in mastodon/mastodon"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2166",
"datePublished": "2022-11-16T00:00:00.000Z",
"dateReserved": "2022-06-22T00:00:00.000Z",
"dateUpdated": "2025-04-29T20:30:40.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}