5.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
Mastodon: Spoofing of attribution domains
Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how it is defined makes Linked Data Signatures on the toot:attributionDomains property ineffective. An attacker can arbitrarily modify the attributionDomains value of a legitimately signed Update activity and bypass Mastodon’s signature verification. This vulnerability is fixed in 4.5.11 and 4.4.18.
References
-
https://github.com/mastodon/mastodon/security/advisories/GHSA-rwcw-vq68-g34p x_refsource_CONFIRM
Affected products
- ==>= 4.3.0, < 4.4.18
- ==>= 4.5.0-beta.1, < 4.5.11
Matching in nixpkgs
pkgs.mastodon
Self-hosted, globally interconnected microblogging software based on ActivityPub
pkgs.bitlbee-mastodon
Bitlbee plugin for Mastodon
pkgs.mastodon-archive
Utility for backing up your Mastodon content
pkgs.python312Packages.mastodon-py
None
pkgs.python313Packages.mastodon-py
Python wrapper for the Mastodon API
pkgs.python314Packages.mastodon-py
Python wrapper for the Mastodon API
pkgs.home-assistant-component-tests.mastodon
None
Package maintainers
-
@jpotier Martin Potier <jpo.contributes.to.nixos@marvid.fr>
-
@ghuntley Geoffrey Huntley <ghuntley@ghuntley.com>
-
@erictapen Kerstin Humm <kerstin@erictapen.name>
-
@happy-river Happy River <happyriver93@runbox.com>
-
@Izorkin Yurii Izorkin <Izorkin@gmail.com>
-
@ju1m Julien Moutinho <julm@sourcephile.fr>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>