All the vulnerabilites related to mastodon - mastodon
cve-2023-36459
Vulnerability from cvelistv5
Published
2023-07-06 18:29
Modified
2024-11-14 14:07
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user's browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v3.5.9 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.0.5 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.1.3 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2023/07/06/5 |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:57.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp"
},
{
"name": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T14:07:13.081530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T14:07:24.022Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3, \u003c 3.5.9"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for cross-site scripting (XSS) payloads that can be rendered in the user\u0027s browser when a preview card for a malicious link is clicked through. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T18:29:07.669Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-ccm4-vgcc-73hp"
},
{
"name": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/6d8e0fae3e96f3cf4febe03fa7fcf5b95ff761b2"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/5"
}
],
"source": {
"advisory": "GHSA-ccm4-vgcc-73hp",
"discovery": "UNKNOWN"
},
"title": "Mastodon vulnerable to Cross-site Scripting through oEmbed preview cards"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36459",
"datePublished": "2023-07-06T18:29:07.669Z",
"dateReserved": "2023-06-21T18:50:41.699Z",
"dateUpdated": "2024-11-14T14:07:24.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-42451
Vulnerability from cvelistv5
Published
2023-09-19 15:56
Modified
2024-09-24 20:36
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:38.773Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667"
},
{
"name": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42451",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T20:35:55.298815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T20:36:19.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.14"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.10"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.8"
},
{
"status": "affected",
"version": "\u003e= 4.2.0-beta1, \u003c 4.2.0-rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-19T15:56:46.962Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667"
},
{
"name": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8"
}
],
"source": {
"advisory": "GHSA-v3xf-c9qf-j667",
"discovery": "UNKNOWN"
},
"title": "Mastodon Invalid Domain Name Normalization vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42451",
"datePublished": "2023-09-19T15:56:46.962Z",
"dateReserved": "2023-09-08T20:57:45.573Z",
"dateUpdated": "2024-09-24T20:36:19.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25618
Vulnerability from cvelistv5
Published
2024-02-14 20:45
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.6"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.14"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.14"
},
{
"status": "affected",
"version": "\u003c 3.5.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-14T20:45:50.621Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15"
}
],
"source": {
"advisory": "GHSA-vm39-j3vx-pch3",
"discovery": "UNKNOWN"
},
"title": "External OpenID Connect Account Takeover by E-Mail Change in mastodon"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25618",
"datePublished": "2024-02-14T20:45:50.621Z",
"dateReserved": "2024-02-08T22:26:33.510Z",
"dateUpdated": "2024-08-01T23:44:09.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-36462
Vulnerability from cvelistv5
Published
2023-07-06 19:16
Modified
2024-10-24 14:25
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v3.5.9 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.0.5 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.1.3 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:57.097Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq"
},
{
"name": "https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T14:21:58.873405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T14:25:32.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 3.5.9"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T19:16:37.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-55j9-c3mp-6fcq"
},
{
"name": "https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/610731b03dfcadd887078cb0399f4e514aa1931c"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
}
],
"source": {
"advisory": "GHSA-55j9-c3mp-6fcq",
"discovery": "UNKNOWN"
},
"title": "Mastodon\u0027s verified profile links can be formatted in a misleading way"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36462",
"datePublished": "2023-07-06T19:16:37.617Z",
"dateReserved": "2023-06-21T18:50:41.699Z",
"dateUpdated": "2024-10-24T14:25:32.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23832
Vulnerability from cvelistv5
Published
2024-02-01 16:18
Modified
2024-11-08 15:46
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:13:08.481Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw"
},
{
"name": "https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-08T15:46:05.845753Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T15:46:29.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.17"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.13"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.13"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-01T16:18:03.528Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw"
},
{
"name": "https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/02/4"
}
],
"source": {
"advisory": "GHSA-3fjr-858r-92rw",
"discovery": "UNKNOWN"
},
"title": "Mastodon Remote user impersonation and takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23832",
"datePublished": "2024-02-01T16:18:03.528Z",
"dateReserved": "2024-01-22T22:23:54.340Z",
"dateUpdated": "2024-11-08T15:46:29.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25623
Vulnerability from cvelistv5
Published
2024-02-19 15:28
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T18:34:37.609043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:47.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36"
},
{
"name": "https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.19"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.15"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.15"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn\u0027t check that the response from the remote server has a `Content-Type` header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an `Accept` header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-19T15:28:15.296Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36"
},
{
"name": "https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/9fee5e852669e26f970e278021302e1a203fc022"
}
],
"source": {
"advisory": "GHSA-jhrq-qvrm-qr36",
"discovery": "UNKNOWN"
},
"title": "Lack of media type verification of Activity Streams objects allows impersonation of remote accounts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25623",
"datePublished": "2024-02-19T15:28:15.296Z",
"dateReserved": "2024-02-08T22:26:33.511Z",
"dateUpdated": "2024-08-01T23:44:09.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-37903
Vulnerability from cvelistv5
Published
2024-07-05 17:24
Modified
2024-08-02 04:04
Severity ?
EPSS score ?
Summary
Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.1.18 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.2.10 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:joinmastodon:mastodon:2.6.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mastodon",
"vendor": "joinmastodon",
"versions": [
{
"lessThan": "4.1.18",
"status": "affected",
"version": "2.6.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:joinmastodon:mastodon:4.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mastodon",
"vendor": "joinmastodon",
"versions": [
{
"lessThan": "4.2.10",
"status": "affected",
"version": "4.2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T19:04:59.386414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T19:17:25.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:04:23.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 4.1.18"
},
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c 4.2.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:24:49.213Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3"
},
{
"name": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10"
}
],
"source": {
"advisory": "GHSA-xjvf-fm67-4qc3",
"discovery": "UNKNOWN"
},
"title": "Mastodon has improper authorship check on audience extension for existing posts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37903",
"datePublished": "2024-07-05T17:24:49.213Z",
"dateReserved": "2024-06-10T19:54:41.362Z",
"dateUpdated": "2024-08-02T04:04:23.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25619
Vulnerability from cvelistv5
Published
2024-02-14 20:50
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn't actually fire, since `delete_all` doesn't trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application's Access Tokens are being "killed". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25619",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-15T20:06:57.515329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:34:59.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x"
},
{
"name": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.6, \u003c 4.2.6"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.14"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.14"
},
{
"status": "affected",
"version": "\u003c 3.5.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn\u0027t being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn\u0027t actually fire, since `delete_all` doesn\u0027t trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application\u0027s Access Tokens are being \"killed\". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672: Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-14T20:50:10.809Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x"
},
{
"name": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71"
}
],
"source": {
"advisory": "GHSA-7w3c-p9j8-mq3x",
"discovery": "UNKNOWN"
},
"title": "Destroying OAuth Applications doesn\u0027t notify Streaming of Access Tokens being destroyed in mastodon"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25619",
"datePublished": "2024-02-14T20:50:10.809Z",
"dateReserved": "2024-02-08T22:26:33.511Z",
"dateUpdated": "2024-08-01T23:44:09.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-28853
Vulnerability from cvelistv5
Published
2023-04-04 21:14
Modified
2024-08-02 13:51
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:38.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"
},
{
"name": "https://github.com/mastodon/mastodon/pull/24379",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/pull/24379"
},
{
"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"
},
{
"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0, \u003c 3.5.8"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.4"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-04T21:14:53.350Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"
},
{
"name": "https://github.com/mastodon/mastodon/pull/24379",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/pull/24379"
},
{
"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"
},
{
"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"
}
],
"source": {
"advisory": "GHSA-38g9-pfm9-gfqv",
"discovery": "UNKNOWN"
},
"title": "Mastodon\u0027s blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28853",
"datePublished": "2023-04-04T21:14:53.350Z",
"dateReserved": "2023-03-24T16:25:34.467Z",
"dateUpdated": "2024-08-02T13:51:38.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-42450
Vulnerability from cvelistv5
Published
2023-09-19 15:53
Modified
2024-08-02 19:23
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4 | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:38.545Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4"
},
{
"name": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0-beta1, \u003c 4.2.0-rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-25T14:32:40.787Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4"
},
{
"name": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2"
}
],
"source": {
"advisory": "GHSA-hcqf-fw2r-52g4",
"discovery": "UNKNOWN"
},
"title": "Mastodon Server-Side Request Forgery vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42450",
"datePublished": "2023-09-19T15:53:39.685Z",
"dateReserved": "2023-09-08T20:57:45.573Z",
"dateUpdated": "2024-08-02T19:23:38.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-42452
Vulnerability from cvelistv5
Published
2023-09-19 15:58
Modified
2024-09-24 18:11
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon's strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the “Translate” button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:38.536Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr"
},
{
"name": "https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T18:00:36.912577Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T18:11:03.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.10"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.8"
},
{
"status": "affected",
"version": "\u003e= 4.2.0-beta1, \u003c 4.2.0-rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to execute in the browser. The impact is limited thanks to Mastodon\u0027s strict Content Security Policy, blocking inline scripts, etc. However a CSP bypass or loophole could be exploited to execute malicious XSS. Furthermore, it requires user interaction, as this can only occur upon clicking the \u201cTranslate\u201d button on a malicious post. Versions 4.0.10, 4.2.8, and 4.2.0-rc2 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-19T15:58:44.559Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-2693-xr3m-jhqr"
},
{
"name": "https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/ff32475f5f4a84ebf9619e7eef5bf8b4c075d0e2"
}
],
"source": {
"advisory": "GHSA-2693-xr3m-jhqr",
"discovery": "UNKNOWN"
},
"title": "Mastodon vulnerable to Stored XSS through the translation feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42452",
"datePublished": "2023-09-19T15:58:44.559Z",
"dateReserved": "2023-09-08T20:57:45.573Z",
"dateUpdated": "2024-09-24T18:11:03.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-36460
Vulnerability from cvelistv5
Published
2023-07-06 18:39
Modified
2024-11-18 20:44
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v3.5.9 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.0.5 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.1.3 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2023/07/06/4 |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:56.987Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm"
},
{
"name": "https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-18T20:44:12.220464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T20:44:22.004Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.5.0, \u003c 3.5.9"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon\u0027s media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T18:57:01.934Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm"
},
{
"name": "https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/4"
}
],
"source": {
"advisory": "GHSA-9928-3cp5-93fm",
"discovery": "UNKNOWN"
},
"title": "Mastodon vulnerable to arbitrary file creation through media attachments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36460",
"datePublished": "2023-07-06T18:39:09.825Z",
"dateReserved": "2023-06-21T18:50:41.699Z",
"dateUpdated": "2024-11-18T20:44:22.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-36461
Vulnerability from cvelistv5
Published
2023-07-06 18:57
Modified
2024-11-15 17:56
Severity ?
EPSS score ?
Summary
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc | x_refsource_CONFIRM | |
| https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v3.5.9 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.0.5 | x_refsource_MISC | |
| https://github.com/mastodon/mastodon/releases/tag/v4.1.3 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2023/07/06/7 |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:56.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc"
},
{
"name": "https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T17:55:51.203349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T17:56:02.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mastodon",
"vendor": "mastodon",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.9"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.5"
},
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T18:57:59.160Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc"
},
{
"name": "https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.9"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.5"
},
{
"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/06/7"
}
],
"source": {
"advisory": "GHSA-9pxv-6qvf-pjwc",
"discovery": "UNKNOWN"
},
"title": "Mastodon vulnerable to Denial of Service through slow HTTP responses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36461",
"datePublished": "2023-07-06T18:57:59.160Z",
"dateReserved": "2023-06-21T18:50:41.699Z",
"dateUpdated": "2024-11-15T17:56:02.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}