Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors to remove JSON entries from valid signed activities from a third-party actor. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Affected products
- mastodon / mastodon>= 4.5.0-beta.1, < 4.5.10 – >= 4.5.0-beta.1, < 4.5.10
- mastodon / mastodon>= 4.4.0-beta.1, < 4.4.17 – >= 4.4.0-beta.1, < 4.4.17
- mastodon / mastodon< 4.3.23 – < 4.3.23