Summary
By crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon.
Found and reported by Gabriel Campana
Details
Pre-releases of Mastodon 4.2.0 up to 4.2.0-rc1 performed insufficient validation and escaping of URL path components,
Incorrect URL normalization, allowing arbitrary headers injection and HTTP request splitting.
Impact
This can be used to perform confused deputy attacks if the server configuration includes ALLOWED_PRIVATE_ADDRESSES to allow access to local exploitable services.
scumjr Reporter
Summary
By crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon.
Found and reported by Gabriel Campana
Details
Pre-releases of Mastodon 4.2.0 up to 4.2.0-rc1 performed insufficient validation and escaping of URL path components,
Incorrect URL normalization, allowing arbitrary headers injection and HTTP request splitting.
Impact
This can be used to perform confused deputy attacks if the server configuration includes
ALLOWED_PRIVATE_ADDRESSESto allow access to local exploitable services.