Lucene search

GoogleOSV:BIT-MASTODON-2022-48364

HistoryMar 06, 2024 - 10:57 a.m.

BIT-mastodon-2022-48364

2024-03-0610:57:04

Google

osv.dev

mastodon

sensitive status update

moderator identity disclosure

software vulnerability

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

35.4%

JSON

The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server’s representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive.

References

github.com/40826d/advisories/blob/master/CVE-2022-48364/README.md

github.com/mastodon/mastodon/blob/main/CHANGELOG.md#353---2022-05-26

github.com/mastodon/mastodon/compare/v3.5.2...v3.5.3

github.com/mastodon/mastodon/pull/18525

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

35.4%

JSON

Related for OSV:BIT-MASTODON-2022-48364