Lucene search

GitHub_MCVELIST:CVE-2023-42451

HistorySep 19, 2023 - 3:56 p.m.

CVE-2023-42451 Mastodon Invalid Domain Name Normalization vulnerability

2023-09-1915:56:46

CWE-706

GitHub_M

www.cve.org

mastodon

activitypub

domain spoofing

vulnerability

patch

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

0.0005 Low

EPSS

Percentile

18.0%

JSON

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.

CNA Affected

[
  {
    "vendor": "mastodon",
    "product": "mastodon",
    "versions": [
      {
        "version": "< 3.5.14",
        "status": "affected"
      },
      {
        "version": ">= 4.0.0, < 4.0.10",
        "status": "affected"
      },
      {
        "version": ">= 4.1.0, < 4.1.8",
        "status": "affected"
      },
      {
        "version": ">= 4.2.0-beta1, < 4.2.0-rc2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8

github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

0.0005 Low

EPSS

Percentile

18.0%

JSON

Related for CVELIST:CVE-2023-42451