CVE-2024-37903— Mastodon has improper authorship check on audience extension for existing posts

Mastodon has improper authorship check on audience extension for existing posts

Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

授权机制缺失

Mastodon 安全漏洞

Mastodon是一款基于ActivityPub的开源社交网络服务器。 Mastodon 2.6.0至4.1.18和4.2.10之前版本存在安全漏洞，该漏洞源于攻击者通过精心策划特定活动，将不属于他们自己的帖子的受众扩展到目标服务器上的其他用户，从而获得不属于他们帖子内容的访问权限。

N/A

N/A