CVE-2023-36460

Name of the Vulnerable Software and Affected Versions Mastodon versions 3.5.0 through 3.5.8 Mastodon versions 4.0.0 through 4.0.4 Mastodon versions 4.1.0 through 4.1.2

Description The issue arises from a flaw in the media processing code, allowing attackers to create arbitrary files at any location using carefully crafted media files. This can lead to Denial of Service and arbitrary Remote Code Execution. The vulnerability is caused by an error in input validation when handling directory traversal sequences.

Recommendations For Mastodon versions 3.5.0 through 3.5.8, update to version 3.5.9 or later. For Mastodon versions 4.0.0 through 4.0.4, update to version 4.0.5 or later. For Mastodon versions 4.1.0 through 4.1.2, update to version 4.1.3 or later. As a temporary workaround, consider restricting access to the media processing code until a patch is applied. Avoid using the media file handler component until the issue is resolved.