Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mastodon
(Joinmastodon)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 16 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-07-06 | CVE-2023-36461 | Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3... | Mastodon | 7.5 | ||
| 2023-07-06 | CVE-2023-36462 | Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions... | Mastodon | 5.4 | ||
| 2023-04-04 | CVE-2023-28853 | Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2. | Mastodon | 6.5 | ||
| 2023-03-06 | CVE-2022-48364 | The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive. | Mastodon | 4.3 | ||
| 2022-12-04 | CVE-2022-46405 | Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages. | Mastodon | 7.5 | ||
| 2022-11-16 | CVE-2022-2166 | Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. | Mastodon | 9.8 | ||
| 2022-05-24 | CVE-2022-31263 | app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions. | Mastodon | 5.3 | ||
| 2022-02-03 | CVE-2022-24307 | Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.) | Mastodon | 9.8 | ||
| 2022-02-02 | CVE-2022-0432 | Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0. | Mastodon | 6.1 | ||
| 2019-09-22 | CVE-2018-21018 | Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions. | Mastodon | N/A |