CVE-2024-37903 — Mastodon has improper authorship check on audience extension for existing posts

Description

Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.

How to fix CVE-2024-37903

To remediate CVE-2024-37903, upgrade the affected package to a fixed version below.

—upgrade to 4.1.18 or later

Is CVE-2024-37903 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.6.0, < 4.1.18, >= 4.2.0, < 4.2.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References (6)

WEBgithub.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3
WEBgithub.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6
WEBgithub.com/mastodon/mastodon/releases/tag/v4.1.18
WEBgithub.com/mastodon/mastodon/releases/tag/v4.2.10