Vulnerability Details : CVE-2023-36461
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
Products affected by CVE-2023-36461
- cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
- cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
- cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-36461
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-36461
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-36461
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-36461
-
https://github.com/mastodon/mastodon/security/advisories/GHSA-9pxv-6qvf-pjwc
Denial of Service through slow HTTP responses · Advisory · mastodon/mastodon · GitHubThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2023/07/06/7
oss-security - CVE-2023-36461: mastodon: Denial of Service through slow HTTP responsesMailing List
-
https://github.com/mastodon/mastodon/releases/tag/v3.5.9
Release v3.5.9 · mastodon/mastodon · GitHubThird Party Advisory
-
https://github.com/mastodon/mastodon/releases/tag/v4.0.5
Release v4.0.5 · mastodon/mastodon · GitHubThird Party Advisory
-
https://github.com/mastodon/mastodon/releases/tag/v4.1.3
Release v4.1.3 · mastodon/mastodon · GitHubThird Party Advisory
-
https://github.com/mastodon/mastodon/commit/c5929798bf7e56cc2c79b15bed0c4692ded3dcb6
Merge pull request from GHSA-9pxv-6qvf-pjwc · mastodon/mastodon@c592979 · GitHubPatch;Third Party Advisory
Jump to