CVE-2023-42451 - OpenCVE

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Joinmastodon	Mastodon

Configuration 1 [-]

OR	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1::::::
	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2::::::
	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3::::::
	cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1::::::

References

Link	Resource
https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8	Patch
https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-19T15:56:46.962Z

Updated: 2023-09-19T15:56:46.962Z

Reserved: 2023-09-08T20:57:45.573Z

Link: CVE-2023-42451

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-09-19T16:15:13.303

Modified: 2023-09-22T17:10:42.063

Link: CVE-2023-42451

JSON object: View

Redhat Information

No data.

CWE

CWE-706

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-42451", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-08T20:57:45.573Z", "datePublished": "2023-09-19T15:56:46.962Z", "dateUpdated": "2023-09-19T15:56:46.962Z"}, "containers": {"cna": {"title": "Mastodon Invalid Domain Name Normalization vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-706", "lang": "en", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667"}, {"name": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": "< 3.5.14", "status": "affected"}, {"version": ">= 4.0.0, < 4.0.10", "status": "affected"}, {"version": ">= 4.1.0, < 4.1.8", "status": "affected"}, {"version": ">= 4.2.0-beta1, < 4.2.0-rc2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-19T15:56:46.962Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue."}], "source": {"advisory": "GHSA-v3xf-c9qf-j667", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "73BDE2AA-8259-4C76-B344-BFD5512C4958", "versionEndExcluding": "3.5.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "98C89C5A-7235-4260-8656-CA90DB36CC96", "versionEndExcluding": "4.0.10", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "E58F736C-6245-4EF4-AE4D-FB6AA20F0D7B", "versionEndExcluding": "4.1.8", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "D76FF8DD-B11D-4119-9B4E-32CE8365A25B", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "19DC8A22-E8EF-4FAB-B60E-64FE54AE0968", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "1406EB6A-186B-4A9C-95F6-5EC509867C3C", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "089015EE-D7E4-4370-B1ED-52283B06FF0A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue."}, {"lang": "es", "value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. Antes de las versiones 3.5.14, 4.0.10, 4.1.8 y 4.2.0-rc2, bajo ciertas circunstancias, los atacantes pueden explotar una falla en la normalizaci\u00f3n de nombres de dominio para falsificar dominios que no son de su propiedad. Las versiones 3.5.14, 4.0.10, 4.1.8 y 4.2.0-rc2 contienen un parche para este problema."}], "id": "CVE-2023-42451", "lastModified": "2023-09-22T17:10:42.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-19T16:15:13.303", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-706"}], "source": "security-advisories@github.com", "type": "Primary"}]}