{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-044.pdf"
    },
    "title": "Path Traversal Vulnerability in Mastodon Media File Handler",
    "serial_number": "2023-044",
    "publish_date": "07-07-2023 11:16:08",
    "description": "A critical security vulnerability has been discovered in Mastodon versions up to 3.5.8/4.0.4/4.1.2. This vulnerability, identified as a path traversal issue, affects the Media File Handler component of Mastodon. Exploitation of this vulnerability could allow an attacker to create or overwrite any file that Mastodon has access to, potentially leading to Denial of Service (DoS) and arbitrary Remote Code Execution (RCE).<br>\n",
    "url_title": "2023-044",
    "content_markdown": "---\ntitle: 'Path Traversal Vulnerability in\u00a0Mastodon Media File Handler'\nversion: '1.0'\nnumber: '2023-044'\noriginal_date: 'July 6, 2023'\ndate: 'July 7, 2023'\n---\n\n_History:_\n\n* _07/07/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nA critical security vulnerability has been discovered in Mastodon versions up to 3.5.8/4.0.4/4.1.2. This vulnerability, identified as a path traversal issue, affects the Media File Handler component of Mastodon. Exploitation of this vulnerability could allow an attacker to create or overwrite any file that Mastodon has access to, potentially leading to Denial of Service (DoS) and arbitrary Remote Code Execution (RCE).\n\n# Technical Details\n\nNo additional technical details nor Proof of Concept is available at this time. This Security Advisory will be updated accordingly when the information is available. \n\n# Affected Products\n\nMastodon versions 3.5.0 and above up to 3.5.8/4.0.4/4.1.2 are affected by this vulnerability.\n\n# Recommendations\n\nUsers of affected versions are advised to upgrade to the patched versions immediately. The vulnerability has been fixed in the following versions:\n\n- 4.1.3\n- 4.0.5\n- 3.5.9\n\n\n# References\n\n[1] <https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>07/07/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>A critical security vulnerability has been discovered in Mastodon versions up to 3.5.8/4.0.4/4.1.2. This vulnerability, identified as a path traversal issue, affects the Media File Handler component of Mastodon. Exploitation of this vulnerability could allow an attacker to create or overwrite any file that Mastodon has access to, potentially leading to Denial of Service (DoS) and arbitrary Remote Code Execution (RCE).</p><h2 id=\"technical-details\">Technical Details</h2><p>No additional technical details nor Proof of Concept is available at this time. This Security Advisory will be updated accordingly when the information is available. </p><h2 id=\"affected-products\">Affected Products</h2><p>Mastodon versions 3.5.0 and above up to 3.5.8/4.0.4/4.1.2 are affected by this vulnerability.</p><h2 id=\"recommendations\">Recommendations</h2><p>Users of affected versions are advised to upgrade to the patched versions immediately. The vulnerability has been fixed in the following versions:</p><ul><li>4.1.3</li><li>4.0.5</li><li>3.5.9</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm\">https://github.com/mastodon/mastodon/security/advisories/GHSA-9928-3cp5-93fm</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}