CVE-2023-36461

Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*

History

14 Jul 2023, 19:25

Type Values Removed Values Added
First Time Joinmastodon mastodon
Joinmastodon
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
References (MISC) https://github.com/mastodon/mastodon/releases/tag/v4.1.3 - (MISC) https://github.com/mastodon/mastodon/releases/tag/v4.1.3 - Third Party Advisory
References (MISC) https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc - (MISC) https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc - Third Party Advisory
References (MISC) https://github.com/mastodon/mastodon/releases/tag/v4.0.5 - (MISC) https://github.com/mastodon/mastodon/releases/tag/v4.0.5 - Third Party Advisory
References (MISC) https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6 - (MISC) https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6 - Patch, Third Party Advisory
References (MISC) http://www.openwall.com/lists/oss-security/2023/07/06/7 - (MISC) http://www.openwall.com/lists/oss-security/2023/07/06/7 - Mailing List
References (MISC) https://github.com/mastodon/mastodon/releases/tag/v3.5.9 - (MISC) https://github.com/mastodon/mastodon/releases/tag/v3.5.9 - Third Party Advisory

07 Jul 2023, 00:15

Type Values Removed Values Added
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/07/06/7 -

06 Jul 2023, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-06 19:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-36461

Mitre link : CVE-2023-36461

CVE.ORG link : CVE-2023-36461


JSON object : View

Products Affected

joinmastodon

  • mastodon
CWE
CWE-770

Allocation of Resources Without Limits or Throttling