CVE-2023-42451

Summary

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.

Affected Software

VendorProductVersion RangeStatus
mastodonmastodon< 3.5.14affected
mastodonmastodon>= 4.0.0, < 4.0.10affected
mastodonmastodon>= 4.1.0, < 4.1.8affected
mastodonmastodon>= 4.2.0-beta1, < 4.2.0-rc2affected

Weaknesses

  • CWE-706: CWE-706: Use of Incorrectly-Resolved Name or Reference

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References