Lucene search

GoogleOSV:BIT-MASTODON-2023-42451

HistoryMar 06, 2024 - 10:55 a.m.

BIT-mastodon-2023-42451

2024-03-0610:55:56

Google

osv.dev

mastodon social network

activitypub

security flaw

domain name normalization

patch

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.6 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.0%

JSON

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.

CPENameOperatorVersion
mastodonle4.2.0-beta1
mastodonge4.2.0-beta3
mastodonge4.2.0-rc1
mastodonlt4.1.8
mastodonle4.2.0-beta2
mastodonle4.2.0-beta3
mastodonle4.2.0-rc1
mastodonlt4.0.10
mastodonge4.2.0-beta1
mastodonge4.0.0

Name	Operator	Version
mastodon	le	4.2.0-beta1
mastodon	ge	4.2.0-beta3
mastodon	ge	4.2.0-rc1
mastodon	lt	4.1.8
mastodon	le	4.2.0-beta2
mastodon	le	4.2.0-beta3
mastodon	le	4.2.0-rc1
mastodon	lt	4.0.10
mastodon	ge	4.2.0-beta1
mastodon	ge	4.0.0

Rows per page:

1-10 of 131

References

github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8

github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.6 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.0%

JSON

Related for OSV:BIT-MASTODON-2023-42451