CVE-2023-42451

2023-09-1916:15:13

CWE-706

[email protected]

web.nvd.nist.gov

mastodon

social network

server

activitypub

cve-2023-42451

security flaw

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.0005 Low

EPSS

Percentile

18.0%

JSON

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.

Affected configurations

Vulners

NVD

Node

mastodonmastodonRange<3.5.14

mastodonmastodonRange4.0.0–4.0.10

mastodonmastodonRange4.1.0–4.1.8

mastodonmastodonRange4.2.0-beta1–4.2.0-rc2

CPENameOperatorVersion
joinmastodon:mastodonjoinmastodon mastodonlt3.5.14
joinmastodon:mastodonjoinmastodon mastodonlt4.0.10
joinmastodon:mastodonjoinmastodon mastodonlt4.1.8
joinmastodon:mastodonjoinmastodon mastodoneq4.2.0

CPE	Name	Operator	Version
joinmastodon:mastodon	joinmastodon mastodon	lt	3.5.14
joinmastodon:mastodon	joinmastodon mastodon	lt	4.0.10
joinmastodon:mastodon	joinmastodon mastodon	lt	4.1.8
joinmastodon:mastodon	joinmastodon mastodon	eq	4.2.0

CNA Affected

[
  {
    "vendor": "mastodon",
    "product": "mastodon",
    "versions": [
      {
        "version": "< 3.5.14",
        "status": "affected"
      },
      {
        "version": ">= 4.0.0, < 4.0.10",
        "status": "affected"
      },
      {
        "version": ">= 4.1.0, < 4.1.8",
        "status": "affected"
      },
      {
        "version": ">= 4.2.0-beta1, < 4.2.0-rc2",
        "status": "affected"
      }
    ]
  }
]