#VU80914 Use of Incorrectly-Resolved Name or Reference in Mastodon


Published: 2023-09-20

Vulnerability identifier: #VU80914

Vulnerability risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-42451

CWE-ID: CWE-706

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mastodon
Server applications / Other server solutions

Vendor: Mastodon

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to invalid domain name normalization. A remote attacker can spoof domains they do not own.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mastodon: 3.5.0 - 3.5.13, 4.0.0 - 4.0.9, 4.1.0 - 4.1.7

External links
http://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8
http://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Mastodon