Ryan Baumann on Nostr: I don't know who needs to hear this but #TruthSocial, which is running a forked ...
I don't know who needs to hear this but #TruthSocial, which is running a forked version of Mastodon, does not from the source code appear to have appropriate mitigations in place for CVE-2023-36460, which theoretically allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution
https://nvd.nist.gov/vuln/detail/CVE-2023-36460 (probably other CVE's as well, but some rely on federation which Truth Social doesn't use?) #infosec
Published at
2024-03-23 20:32:34Event JSON
{
"id": "86776e1ee7707e6b7c2b75262dc9f17b4291fdf2bb4dca6f98a7b2373f1d55a3",
"pubkey": "90b47e4ee64c727c5638a52ea4c9502f7bf560740acc1d4e796b307132806d07",
"created_at": 1711225954,
"kind": 1,
"tags": [
[
"t",
"infosec"
],
[
"t",
"truthsocial"
],
[
"proxy",
"https://digipres.club/users/ryanfb/statuses/112146904149736275",
"activitypub"
]
],
"content": "I don't know who needs to hear this but #TruthSocial, which is running a forked version of Mastodon, does not from the source code appear to have appropriate mitigations in place for CVE-2023-36460, which theoretically allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution https://nvd.nist.gov/vuln/detail/CVE-2023-36460 (probably other CVE's as well, but some rely on federation which Truth Social doesn't use?) #infosec",
"sig": "a7f8428d638f8d55b2a36e61b882ec75a96c004f2fb73f8739ff59adc055f989e226602a9584a6d1108729a6e5a98b58ee2b6f5eb613bfc956b7a00a8e5920d6"
}
