CVE-2023-42450

HIGH Year: 2023
CVSS v3 Score
7.5
High
Weakness Type
CWE-113
View all →

Vulnerability Description

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue.

Related Vulnerabilities

CVE-2018-7830

HIGH
CVSS:7.5(High)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where a...

CWE-1132018

CVE-2020-5247

HIGH
CVSS:7.5(High)

In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end...

CWE-1132020

CVE-2022-3215

HIGH
CVSS:7.5(High)

NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming reques...

CWE-1132022

CVE-2015-1445

HIGH
CVSS:7.2(High)

HTTP header injection in the httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30.

CWE-1132015

CVE-2016-8024

HIGH
CVSS:8.1(High)

Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to obtain sensiti...

CWE-1132016

CVE-2024-23644

HIGH
CVSS:8.1(High)

Trillium is a composable toolkit for building internet applications with async rust. In `trillium-http` prior to 0.3.12 and `trillium-client` prior to 0.5.4, insufficient validation of outbound header...

CWE-1132024