GitHub_MVULNRICHMENT:CVE-2024-37903CVE-2024-37903 Mastodon has improper authorship check on audience extension for existing posts
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial
Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:joinmastodon:mastodon:2.6.0:*:*:*:*:*:*:*"
],
"vendor": "joinmastodon",
"product": "mastodon",
"versions": [
{
"status": "affected",
"version": "2.6.0",
"lessThan": "4.1.18",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:a:joinmastodon:mastodon:4.2.0:*:*:*:*:*:*:*"
],
"vendor": "joinmastodon",
"product": "mastodon",
"versions": [
{
"status": "affected",
"version": "4.2.0",
"lessThan": "4.2.10",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]References
github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3
github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6
github.com/mastodon/mastodon/releases/tag/v4.1.18
github.com/mastodon/mastodon/releases/tag/v4.2.10
github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial