CVE-2023-42451

2023-09-1916:15:13

CWE-706

[email protected]

web.nvd.nist.gov

mastodon

vulnerability

domain name

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

28.8%

JSON

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.

Affected configurations

Nvd

Node

joinmastodonmastodonRange<3.5.14

joinmastodonmastodonRange4.0.0–4.0.10

joinmastodonmastodonRange4.1.0–4.1.8

joinmastodonmastodonMatch4.2.0beta1

joinmastodonmastodonMatch4.2.0beta2

joinmastodonmastodonMatch4.2.0beta3

joinmastodonmastodonMatch4.2.0rc1

VendorProductVersionCPE
joinmastodonmastodon*cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
joinmastodonmastodon4.2.0cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1:*:*:*:*:*:*
joinmastodonmastodon4.2.0cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2:*:*:*:*:*:*
joinmastodonmastodon4.2.0cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3:*:*:*:*:*:*
joinmastodonmastodon4.2.0cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1:*:*:*:*:*:*

Vendor	Product	Version	CPE
joinmastodon	mastodon	*	cpe:2.3:a:joinmastodon:mastodon::::::::
joinmastodon	mastodon	4.2.0	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1::::::
joinmastodon	mastodon	4.2.0	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2::::::
joinmastodon	mastodon	4.2.0	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3::::::
joinmastodon	mastodon	4.2.0	cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1::::::