CVE-2023-36460: mastodon: Arbitrary file creation through media attachments

[Jan Schaumann <jschauma () netmeister org>]

(I have no affiliation with the project, but posting
this here because it seems to me that increasingly
non-packaged / GitHub distributed projects tend not to
send out announcements here.)

https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm

(This advisory describes an issue found by Cure53 as
part of an audit performed at Mozilla's request)

Using carefully crafted media files, attackers can
cause Mastodon's media processing code to create
arbitrary files at any location.

Impact
This allows attackers to create and overwrite any file
Mastodon has access to, allowing Denial of Service and
arbitrary Remote Code Execution.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Severity: 9.9/10

CVE-2023-36460

Affected versions: >= 3.5.0
Patched versions:  4.1.3, 4.0.5, 3.5.9