Vulnerability Description
The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Joinmastodon | Mastodon | >= 3.5.0, < 3.5.3 |
Related Weaknesses (CWE)
References
- https://github.com/40826d/advisories/blob/master/CVE-2022-48364/README.mdExploitThird Party Advisory
- https://github.com/mastodon/mastodon/blob/main/CHANGELOG.md#353---2022-05-26Release Notes
- https://github.com/mastodon/mastodon/compare/v3.5.2...v3.5.3PatchProduct
- https://github.com/mastodon/mastodon/pull/18525Patch
- https://github.com/40826d/advisories/blob/master/CVE-2022-48364/README.mdExploitThird Party Advisory
- https://github.com/mastodon/mastodon/blob/main/CHANGELOG.md#353---2022-05-26Release Notes
- https://github.com/mastodon/mastodon/compare/v3.5.2...v3.5.3PatchProduct
- https://github.com/mastodon/mastodon/pull/18525Patch
FAQ
What is CVE-2022-48364?
CVE-2022-48364 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server's representative account, resulting in moderator identity di...
How severe is CVE-2022-48364?
CVE-2022-48364 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-48364?
Check the references section above for vendor advisories and patch information. Affected products include: Joinmastodon Mastodon.