Cyber Resilience

CVE-2023-36460

Critical

Published: 06 July 2023

Published
06 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.4485 97.7th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36460 is a critical-severity Path Traversal (CWE-22) vulnerability in Joinmastodon Mastodon. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Mastodon, an open-source ActivityPub-based social network server, contains a path traversal vulnerability (CWE-22) in its media processing code. The flaw affects versions 3.5.0 through 3.5.8, 4.0.0 through 4.0.4, and 4.1.0 through 4.1.2; specially crafted media files can cause the server to write arbitrary files to any location on the filesystem accessible to the Mastodon process.

An attacker with a low-privileged account can upload the malicious media over the network and achieve arbitrary file creation or overwrite. This grants the ability to perform denial-of-service attacks by corrupting critical files and, in many deployments, to obtain remote code execution by placing attacker-controlled content in executable locations or configuration paths.

Patches addressing the issue were released in Mastodon 3.5.9, 4.0.5, and 4.1.3; the corresponding fix is tracked in commit dc8f1fbd976ae544720a4e07120d9a91b2722440. Administrators should upgrade to one of the patched versions and verify that media upload handling is restricted to trusted users until the update is applied. The EPSS score has remained flat at 0.4485 with no observed rise after disclosure.

EU & UK References

Vulnerability details

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 3.5.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, attackers using carefully crafted media files can cause Mastodon's media processing code to create arbitrary files at…

more

any location. This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

joinmastodon
mastodon
3.5.0 — 3.5.9 · 4.0.0 — 4.0.5 · 4.1.0 — 4.1.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References