Vulnerabilities > CVE-2023-42450 - Server-Side Request Forgery (SSRF) vulnerability in Joinmastodon Mastodon 4.2.0

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
joinmastodon
CWE-918

Summary

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.

Vulnerable Configurations

Part Description Count
Application
Joinmastodon
4

Common Weakness Enumeration (CWE)