Bitnami package
mastodon
pkg:bitnami/mastodon
Vulnerabilities (41)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-49952 | — | >= 4.1.0, < 4.1.17 | 4.1.17 | Nov 18, 2024 | Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header. | ||
| CVE-2024-34535 | — | < 4.2.9 | 4.2.9 | Oct 3, 2024 | In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header. | ||
| CVE-2024-37903 | — | >= 2.6.0, < 4.1.18 | 4.1.18 | Jul 5, 2024 | Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining | ||
| CVE-2024-25623 | — | < 3.5.19 | 3.5.19 | Feb 19, 2024 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Stream | ||
| CVE-2024-25619 | — | < 4.2.6 | 4.2.6 | Feb 14, 2024 | Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application | ||
| CVE-2024-25618 | — | < 3.5.18 | 3.5.18 | Feb 14, 2024 | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the | ||
| CVE-2024-23832 | — | < 3.5.17 | 3.5.17 | Feb 1, 2024 | Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to | ||
| CVE-2023-42452 | — | >= 4.0.0, < 4.0.10 | 4.0.10 | Sep 19, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing un | ||
| CVE-2023-42451 | — | < 3.5.14 | 3.5.14 | Sep 19, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4. | ||
| CVE-2023-42450 | — | >= 4.2.0-beta1, < 4.2.0 | 4.2.0 | Sep 19, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused | ||
| CVE-2023-36462 | — | >= 2.6.0, < 3.5.9 | 3.5.9 | Jul 6, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appe | ||
| CVE-2023-36461 | — | < 3.5.9 | 3.5.9 | Jul 6, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the resp | ||
| CVE-2023-36460 | — | >= 3.5.0, < 3.5.9 | 3.5.9 | Jul 6, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location. | ||
| CVE-2023-36459 | — | >= 1.3.0, < 3.5.9 | 3.5.9 | Jul 6, 2023 | Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in | ||
| CVE-2023-28853 | — | >= 2.5.0, < 3.5.8 | 3.5.8 | Apr 4, 2023 | Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform | ||
| CVE-2022-48364 | — | >= 3.5.0, < 3.5.3 | 3.5.3 | Mar 6, 2023 | The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was | ||
| CVE-2022-46405 | — | < 4.0.3 | 4.0.3 | Dec 4, 2022 | Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacke | ||
| CVE-2022-2166 | — | < 3.5.6 | 3.5.6 | Nov 16, 2022 | Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0. | ||
| CVE-2022-31263 | — | < 3.5.0 | 3.5.0 | May 24, 2022 | app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions. | ||
| CVE-2022-24307 | — | < 3.3.2 | 3.3.2 | Feb 3, 2022 | Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.) |
- CVE-2023-49952Nov 18, 2024affected >= 4.1.0, < 4.1.17fixed 4.1.17
Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header.
- CVE-2024-34535Oct 3, 2024affected < 4.2.9fixed 4.2.9
In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header.
- CVE-2024-37903Jul 5, 2024affected >= 2.6.0, < 4.1.18fixed 4.1.18
Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining
- CVE-2024-25623Feb 19, 2024affected < 3.5.19fixed 3.5.19
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.2.7, 4.1.15, 4.0.15, and 3.5.19, when fetching remote statuses, Mastodon doesn't check that the response from the remote server has a `Content-Type` header value of the Activity Stream
- CVE-2024-25619Feb 14, 2024affected < 4.2.6fixed 4.2.6
Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application
- CVE-2024-25618Feb 14, 2024affected < 3.5.18fixed 3.5.18
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the
- CVE-2024-23832Feb 1, 2024affected < 3.5.17fixed 3.5.17
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to
- CVE-2023-42452Sep 19, 2023affected >= 4.0.0, < 4.0.10fixed 4.0.10
Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing un
- CVE-2023-42451Sep 19, 2023affected < 3.5.14fixed 3.5.14
Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.
- CVE-2023-42450Sep 19, 2023affected >= 4.2.0-beta1, < 4.2.0fixed 4.2.0
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused
- CVE-2023-36462Jul 6, 2023affected >= 2.6.0, < 3.5.9fixed 3.5.9
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appe
- CVE-2023-36461Jul 6, 2023affected < 3.5.9fixed 3.5.9
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the resp
- CVE-2023-36460Jul 6, 2023affected >= 3.5.0, < 3.5.9fixed 3.5.9
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at any location.
- CVE-2023-36459Jul 6, 2023affected >= 1.3.0, < 3.5.9fixed 3.5.9
Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in
- CVE-2023-28853Apr 4, 2023affected >= 2.5.0, < 3.5.8fixed 3.5.8
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform
- CVE-2022-48364Mar 6, 2023affected >= 3.5.0, < 3.5.3fixed 3.5.3
The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was
- CVE-2022-46405Dec 4, 2022affected < 4.0.3fixed 4.0.3
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacke
- CVE-2022-2166Nov 16, 2022affected < 3.5.6fixed 3.5.6
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
- CVE-2022-31263May 24, 2022affected < 3.5.0fixed 3.5.0
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
- CVE-2022-24307Feb 3, 2022affected < 3.3.2fixed 3.3.2
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
Page 2 of 3