Vulnerabilities > CVE-2023-42450 - Server-Side Request Forgery (SSRF) vulnerability in Joinmastodon Mastodon 4.2.0

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

joinmastodon

CWE-918

NVD

Published: 2023-09-19

Updated: 2024-02-16

Summary

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.

Vulnerable Configurations

Part	Description	Count
Application	Joinmastodon Joinmastodon Mastodon 4.2.0	4

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://github.com/mastodon/mastodon/commit/94893cf24fc95b32cc7a756262acbe008c20a9d2
https://github.com/mastodon/mastodon/security/advisories/GHSA-hcqf-fw2r-52g4