Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36462: Merge pull request from GHSA-55j9-c3mp-6fcq · mastodon/mastodon@610731b

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CVE

Expand Up

@@ -48,6 +48,26 @@ def to_s

html.html_safe # rubocop:disable Rails/OutputSafety

end

class << self

include ERB::Util

def shortened_link(url, rel_me: false)

url = Addressable::URI.parse(url).to_s

rel = rel_me ? (DEFAULT_REL + %w(me)) : DEFAULT_REL

prefix = url.match(URL_PREFIX_REGEX).to_s

display_url = url[prefix.length, 30]

suffix = url[prefix.length + 30…-1]

cutoff = url[prefix.length…-1].length > 30

<<~HTML.squish

<a href="#{h(url)}" target="_blank" rel="#{rel.join(' ')}" translate="no"><span class="invisible">#{h(prefix)}</span><span class="#{cutoff ? ‘ellipsis’ : '’}">#{h(display_url)}</span><span class="invisible">#{h(suffix)}</span></a>

HTML

rescue Addressable::URI::InvalidURIError, IDN::Idna::IdnaError

h(url)

end

end

private

def rewrite

Expand All

@@ -70,19 +90,7 @@ def rewrite

end

def link_to_url(entity)

url = Addressable::URI.parse(entity[:url]).to_s

rel = with_rel_me? ? (DEFAULT_REL + %w(me)) : DEFAULT_REL

prefix = url.match(URL_PREFIX_REGEX).to_s

display_url = url[prefix.length, 30]

suffix = url[prefix.length + 30…-1]

cutoff = url[prefix.length…-1].length > 30

<<~HTML.squish

<a href="#{h(url)}" target="_blank" rel="#{rel.join(' ')}" translate="no"><span class="invisible">#{h(prefix)}</span><span class="#{cutoff ? ‘ellipsis’ : '’}">#{h(display_url)}</span><span class="invisible">#{h(suffix)}</span></a>

HTML

rescue Addressable::URI::InvalidURIError, IDN::Idna::IdnaError

h(entity[:url])

TextFormatter.shortened_link(entity[:url], rel_me: with_rel_me?)

end

def link_to_hashtag(entity)

Expand Down

Related news

"TootRoot" Mastodon vulnerabilities fixed: Admins, patch now!

Categories: Personal Tags: tootroot Tags: mastodon Tags: server Tags: patch Tags: update Tags: CVE Tags: flaw Tags: vulnerability Tags: social media Tags: network Tags: networking We take a look at a collection of issues (now patched) which were affecting Mastodon servers. It's time to apply the fix for TootRoot. (Read more...) The post "TootRoot" Mastodon vulnerabilities fixed: Admins, patch now! appeared first on Malwarebytes Labs.

CVE-2023-36461: Release v3.5.9 · mastodon/mastodon

Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907