CVE-2023-42450 - OpenCVE

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Joinmastodon	Mastodon

Configuration 1 [-]

OR	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1::::::
	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2::::::
	cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3::::::
	cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1::::::

No data.

References

Link	Providers
https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2
https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-19T15:53:39.685Z

Updated: 2024-08-02T19:23:38.545Z

Reserved: 2023-09-08T20:57:45.573Z

Link: CVE-2023-42450

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-09-19T16:15:12.897

Modified: 2024-02-16T20:35:15.717

Link: CVE-2023-42450

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42450", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-08T20:57:45.573Z", "datePublished": "2023-09-19T15:53:39.685Z", "dateUpdated": "2024-08-02T19:23:38.545Z"}, "containers": {"cna": {"title": "Mastodon Server-Side Request Forgery vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-113", "lang": "en", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4"}, {"name": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": ">= 4.2.0-beta1, < 4.2.0-rc2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-25T14:32:40.787Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue."}], "source": {"advisory": "GHSA-hcqf-fw2r-52g4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:23:38.545Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4"}, {"name": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "D76FF8DD-B11D-4119-9B4E-32CE8365A25B", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "19DC8A22-E8EF-4FAB-B60E-64FE54AE0968", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "1406EB6A-186B-4A9C-95F6-5EC509867C3C", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:4.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "089015EE-D7E4-4370-B1ED-52283B06FF0A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue."}, {"lang": "es", "value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. A partir de la versi\u00f3n 4.2.0-beta1 y antes de la versi\u00f3n 4.2.0-rc2, al crear entradas espec\u00edficas, los atacantes pueden inyectar datos arbitrarios en las solicitudes HTTP emitidas por Mastodon. Esto se puede utilizar para realizar ataques adjuntos confusos si la configuraci\u00f3n del servidor incluye `ALLOWED_PRIVATE_ADDRESSES` para permitir el acceso a servicios locales explotables. La versi\u00f3n 4.2.0-rc2 tiene un parche para el problema."}], "id": "CVE-2023-42450", "lastModified": "2024-02-16T20:35:15.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-19T16:15:12.897", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-113"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}