CVE-2024-37903 - OpenCVE

Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3
https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6
https://github.com/mastodon/mastodon/releases/tag/v4.1.18
https://github.com/mastodon/mastodon/releases/tag/v4.2.10
https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-05T17:24:49.213Z

Updated: 2024-08-02T04:04:23.423Z

Reserved: 2024-06-10T19:54:41.362Z

Link: CVE-2024-37903

Vulnrichment

Updated: 2024-08-02T04:04:23.423Z

NVD

Status : Awaiting Analysis

Published: 2024-07-05T18:15:32.093

Modified: 2024-07-08T15:49:22.437

Link: CVE-2024-37903

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37903", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-10T19:54:41.362Z", "datePublished": "2024-07-05T17:24:49.213Z", "dateUpdated": "2024-08-02T04:04:23.423Z"}, "containers": {"cna": {"title": "Mastodon has improper authorship check on audience extension for existing posts", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3"}, {"name": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3"}, {"name": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": ">= 2.6.0, < 4.1.18", "status": "affected"}, {"version": ">= 4.2.0, < 4.2.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-05T17:24:49.213Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue."}], "source": {"advisory": "GHSA-xjvf-fm67-4qc3", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "joinmastodon", "product": "mastodon", "cpes": ["cpe:2.3:a:joinmastodon:mastodon:2.6.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.6.0", "status": "affected", "lessThan": "4.1.18", "versionType": "custom"}]}, {"vendor": "joinmastodon", "product": "mastodon", "cpes": ["cpe:2.3:a:joinmastodon:mastodon:4.2.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.2.0", "status": "affected", "lessThan": "4.2.10", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-31T19:04:59.386414Z", "id": "CVE-2024-37903", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T19:17:25.833Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:04:23.423Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3"}, {"name": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3"}, {"name": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3", "name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3", "name": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6", "name": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:04:23.423Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37903", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-31T19:04:59.386414Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:joinmastodon:mastodon:2.6.0:*:*:*:*:*:*:*"], "vendor": "joinmastodon", "product": "mastodon", "versions": [{"status": "affected", "version": "2.6.0", "lessThan": "4.1.18", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:joinmastodon:mastodon:4.2.0:*:*:*:*:*:*:*"], "vendor": "joinmastodon", "product": "mastodon", "versions": [{"status": "affected", "version": "4.2.0", "lessThan": "4.2.10", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T19:17:12.398Z"}}], "cna": {"title": "Mastodon has improper authorship check on audience extension for existing posts", "source": {"advisory": "GHSA-xjvf-fm67-4qc3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"status": "affected", "version": ">= 2.6.0, < 4.1.18"}, {"status": "affected", "version": ">= 4.2.0, < 4.2.10"}]}], "references": [{"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3", "name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3", "name": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6", "name": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-05T17:24:49.213Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37903", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:04:23.423Z", "dateReserved": "2024-06-10T19:54:41.362Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-05T17:24:49.213Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue."}, {"lang": "es", "value": " Mastodon es una plataforma de microblogging federada y autohospedada. A partir de la versi\u00f3n 2.6.0 y antes de las versiones 4.1.18 y 4.2.10, al crear actividades espec\u00edficas, un atacante puede ampliar la audiencia de una publicaci\u00f3n que no es de su propiedad a otros usuarios de Mastodon en un servidor de destino, obteniendo as\u00ed acceso al contenido de una publicaci\u00f3n no destinada a ellos. Las versiones 4.1.18 y 4.2.10 contienen un parche para este problema."}], "id": "CVE-2024-37903", "lastModified": "2024-07-08T15:49:22.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-05T18:15:32.093", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3"}, {"source": "security-advisories@github.com", "url": "https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6"}, {"source": "security-advisories@github.com", "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.18"}, {"source": "security-advisories@github.com", "url": "https://github.com/mastodon/mastodon/releases/tag/v4.2.10"}, {"source": "security-advisories@github.com", "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}