oss-sec mailing list archives
CVE-2023-36460: mastodon: Arbitrary file creation through media attachments
From: Jan Schaumann <jschauma () netmeister org>
Date: Thu, 6 Jul 2023 18:21:59 -0400
(I have no affiliation with the project, but posting this here because it seems to me that increasingly non-packaged / GitHub distributed projects tend not to send out announcements here.) https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm (This advisory describes an issue found by Cure53 as part of an audit performed at Mozilla's request) Using carefully crafted media files, attackers can cause Mastodon's media processing code to create arbitrary files at any location. Impact This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Severity: 9.9/10 CVE-2023-36460 Affected versions: >= 3.5.0 Patched versions: 4.1.3, 4.0.5, 3.5.9
Current thread:
- CVE-2023-36460: mastodon: Arbitrary file creation through media attachments Jan Schaumann (Jul 06)