8.6 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
Mastodon: SSRF protection bypass on older Ruby versions
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) corresponding to some private IPv4 addresses, depending on Ruby version, this can include loopback, RFC1918 private networks, and link-local space. An attacker who controls DNS for any domain can publish an AAAA record with such a mapped address; any outbound HTTP fetch Mastodon performs against that hostname then opens a real TCP connection to the underlying IPv4 address, including 127.0.0.1 and cloud-metadata endpoints such as 169.254.169.254. This vulnerability is fixed in 4.5.10, 4.4.17, and 4.3.23.
References
-
https://github.com/mastodon/mastodon/security/advisories/GHSA-xx55-4rrg-8xg6 x_refsource_CONFIRM
Affected products
- ==>= 4.5.0-beta.1, < 4.5.10
Matching in nixpkgs
pkgs.mastodon
Self-hosted, globally interconnected microblogging software based on ActivityPub
pkgs.bitlbee-mastodon
Bitlbee plugin for Mastodon
pkgs.mastodon-archive
Utility for backing up your Mastodon content
pkgs.python312Packages.mastodon-py
None
pkgs.python313Packages.mastodon-py
Python wrapper for the Mastodon API
pkgs.python314Packages.mastodon-py
Python wrapper for the Mastodon API
pkgs.home-assistant-component-tests.mastodon
None
Package maintainers
-
@jpotier Martin Potier <jpo.contributes.to.nixos@marvid.fr>
-
@ghuntley Geoffrey Huntley <ghuntley@ghuntley.com>
-
@erictapen Kerstin Humm <kerstin@erictapen.name>
-
@happy-river Happy River <happyriver93@runbox.com>
-
@Izorkin Yurii Izorkin <Izorkin@gmail.com>
-
@ju1m Julien Moutinho <julm@sourcephile.fr>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>