GitHub_MCVELIST:CVE-2024-25623CVE-2024-25623 Lack of media type verification of Activity Streams objects allows impersonation of remote accounts
8.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
8.6 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.2%
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn’t check that the response from the remote server has a Content-Type header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads. The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties: allows the attacker to register an account; accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors; and serves user-uploaded document in response to requests with an Accept header value of the Activity Streams media type. Versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19 contain a fix for this issue.
CNA Affected
[
{
"vendor": "mastodon",
"product": "mastodon",
"versions": [
{
"version": "< 3.5.19",
"status": "affected"
},
{
"version": ">= 4.0.0, < 4.0.15",
"status": "affected"
},
{
"version": ">= 4.1.0, < 4.1.15",
"status": "affected"
},
{
"version": ">= 4.2.0, < 4.2.7",
"status": "affected"
}
]
}
]Related
8.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
8.6 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.2%