CVE-2023-42451

moderate-risk
Published 2023-09-19

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.

Do I need to act?

-
0.38% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.4/10 High
NETWORK / HIGH complexity

Affected Products (5)

Affected Vendors

Joinmastodon

References (4)

Patch https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab19...
Vendor Advisory https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667
Patch https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab19...
Vendor Advisory https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667
35
/ 100
moderate-risk
Severity 22/34 · High
Exploitability 1/34 · Minimal
Exposure 12/34 · Low