Lucene search

GoogleOSV:BIT-MASTODON-2023-42451

HistoryMar 06, 2024 - 10:55 a.m.

BIT-mastodon-2023-42451

2024-03-0610:55:56

Google

osv.dev

mastodon social network

activitypub

security flaw

domain name normalization

patch

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

28.8%

JSON

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.

References

github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8

github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

28.8%

JSON

Related for OSV:BIT-MASTODON-2023-42451