Mastodon
CVE-2023-36461
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
AnalysisAI
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
Technical ContextAI
This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue. Affected products include: Joinmastodon Mastodon.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Set resource limits, implement rate limiting, validate input sizes.
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.4), this vulnera
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Mastodon is a free, open-source social network server based on ActivityPub. Rated critical severity (CVSS 9.9), this vul
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. Rated c
Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing
Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls autho
Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe t
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Masto
Mastodon is a self-hosted, federated microblogging platform. Rated high severity (CVSS 8.2), this vulnerability is remot
Mastodon is a free, open-source social network server based on ActivityPub. Rated high severity (CVSS 7.7), this vulnera
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today