cbcvebase.
CVE-2023-36460
published 2023-07-06

CVE-2023-36460: Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers…

PriorityP273critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
37.26%
98.3th percentile
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

Affected

6 ranges
VendorProductVersion rangeFixed in
joinmastodonmastodon>= 3.5.0 < 3.5.93.5.9
joinmastodonmastodon>= 4.0.0 < 4.0.54.0.5
joinmastodonmastodon>= 4.1.0 < 4.1.34.1.3
mastodonmastodon
mastodonmastodon
mastodonmastodon

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation of CVE-2023-36460 results in web shell creation on Mastodon server instances; monitor for unexpected new files written by the Mastodon process, especially in web-accessible directories.
  • The vulnerability is triggered via crafted media file uploads; monitor Mastodon media processing for file creation events outside expected media storage paths.
  • Successful exploitation allows arbitrary file creation/overwrite by the Mastodon process, enabling RCE and DoS; alert on file writes to sensitive paths (e.g., config, initializers, public) by the Mastodon service account.
  • ·Vulnerability affects Mastodon versions starting from 3.5.0; versions 3.5.9, 4.0.5, and 4.1.3 contain the patch. Detection efforts should focus on unpatched instances running versions 3.5.0–3.5.8, 4.0.0–4.0.4, and 4.1.0–4.1.2.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.