CRITICAL🇬🇧 English

CVE-2023-36460

CVSS 9.9v3.1pub. 2023-07-06upd. 2024-11-21

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Joinmastodon Mastodon

    APP
    Joinmastodon
    3.5.0 – 3.5.9 (bez)4.0.0 – 4.0.5 (bez)4.1.0 – 4.1.3 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCEDoSPath Traversal
CWE
Referencje

Powiązane podatności

CVE-2024-23832CRITICAL9.4PL ✓ten sam produkt

Mastodon: Podszywanie się pod zdalne konta poprzez brak walidacji origin

CVE-2023-36459CRITICAL9.3ten sam produkt

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior ...

CVE-2022-2166CRITICAL9.8ten sam produkt

Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0....

CVE-2022-24307CRITICAL9.8ten sam produkt

Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming...

CVE-2018-21018CRITICAL9.8ten sam produkt

Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.