CVE-2022-0432
published 2022-02-02CVE-2022-0432: Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
PriorityP337medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
4.46%
90.3th percentile
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joinmastodon | mastodon | < 3.5.0 | 3.5.0 |
| mastodon | mastodon_mastodon | >= unspecified < 3.5.0 | 3.5.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a GET request to /embed.js on the target Mastodon instance; a 200 response containing the string 'if (data.type !== \'setHeight\' || !iframes[data.id]) {' indicates a vulnerable (pre-3.5.0) version. ↗
- ·The nuclei template requires BOTH a HTTP 200 status code AND the presence of the vulnerable string in the response body (matchers-condition: and). A 200 without the string (e.g. patched 3.5.0+) will not trigger. ↗
- ·Vulnerability is present in mastodon/mastodon versions strictly prior to 3.5.0; patched in commit 4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.07.4HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Mastodon Prototype Pollution Vulnerability
nuclei·CVSS 6.1
CVE-2022-0432 [MEDIUM] Mastodon Prototype Pollution Vulnerability
Mastodon Prototype Pollution Vulnerability
The GitHub repository mastodon/mastodon prior to 3.5.0 contains a Prototype Pollution vulnerability.
Template:
id: CVE-2022-0432
info:
name: Mastodon Prototype Pollution Vulnerability
author: pikpikcu
severity: medium
description: The GitHub repository mastodon/mastodon prior to 3.5.0 contains a Prototype Pollution vulnerability.
impact: |
Remote code execution
remediation: |
Apply the latest security patches and updates provided by the Mastodon project to mitigate the vulnerability.
reference:
- https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09
- https://drive.google.com/file/d/1vpZ0CcmFhTEUasLTPUBf8o-4l7G6ojtG/view
- https://nvd.nist.gov/vuln/detail/CVE-2022-0432
- https://huntr.dev/bounties/d06da292-7716-4
No writeups or analysis indexed.
2022-02-02
Published