Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/07/06/7 | Mailing List |
https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6 | Patch Third Party Advisory |
https://github.com/mastodon/mastodon/releases/tag/v3.5.9 | Third Party Advisory |
https://github.com/mastodon/mastodon/releases/tag/v4.0.5 | Third Party Advisory |
https://github.com/mastodon/mastodon/releases/tag/v4.1.3 | Third Party Advisory |
https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
14 Jul 2023, 19:25
Type | Values Removed | Values Added |
---|---|---|
First Time |
Joinmastodon mastodon
Joinmastodon |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CPE | cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:* | |
References | (MISC) https://github.com/mastodon/mastodon/releases/tag/v4.1.3 - Third Party Advisory | |
References | (MISC) https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc - Third Party Advisory | |
References | (MISC) https://github.com/mastodon/mastodon/releases/tag/v4.0.5 - Third Party Advisory | |
References | (MISC) https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6 - Patch, Third Party Advisory | |
References | (MISC) http://www.openwall.com/lists/oss-security/2023/07/06/7 - Mailing List | |
References | (MISC) https://github.com/mastodon/mastodon/releases/tag/v3.5.9 - Third Party Advisory |
07 Jul 2023, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Jul 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-06 19:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-36461
Mitre link : CVE-2023-36461
CVE.ORG link : CVE-2023-36461
JSON object : View
Products Affected
joinmastodon
- mastodon
CWE
CWE-770
Allocation of Resources Without Limits or Throttling