oss-sec mailing list archives
CVE-2023-36461: mastodon: Denial of Service through slow HTTP responses
From: Jan Schaumann <jschauma () netmeister org>
Date: Thu, 6 Jul 2023 18:29:23 -0400
(I have no affiliation with the project, but posting this here because it seems to me that increasingly non-packaged / GitHub distributed projects tend not to send out announcements here.) https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc (This advisory describes an issue found by Cure53 as part of an audit performed at Mozilla's request) When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations, but a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. Impact This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Severity: 7.5/10 CVE-2023-36461 Affected versions: all Patched versions: 4.1.3, 4.0.5, 3.5.9
Current thread:
- CVE-2023-36461: mastodon: Denial of Service through slow HTTP responses Jan Schaumann (Jul 06)