CVE-2023-42451
published 2023-09-19CVE-2023-42451: Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.57%
42.8th percentile
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joinmastodon | mastodon | < 3.5.14 | 3.5.14 |
| joinmastodon | mastodon | — | — |
| joinmastodon | mastodon | >= 4.0.0 < 4.0.10 | 4.0.10 |
| joinmastodon | mastodon | >= 4.1.0 < 4.1.8 | 4.1.8 |
| mastodon | mastodon | < 3.5.14 | 3.5.14 |
| mastodon | mastodon | — | — |
| mastodon | mastodon | — | — |
| mastodon | mastodon | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667
2023-09-19
Published