{"id":"CVE-2024-37903","summary":"Mastodon has improper authorship check on audience extension for existing posts","details":"Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.","aliases":["BIT-mastodon-2024-37903","GHSA-xjvf-fm67-4qc3"],"modified":"2026-04-10T05:14:18.078973Z","published":"2024-07-05T17:24:49.213Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37903.json","cwe_ids":["CWE-862"]},"references":[{"type":"WEB","url":"https://github.com/mastodon/mastodon/releases/tag/v4.1.18"},{"type":"WEB","url":"https://github.com/mastodon/mastodon/releases/tag/v4.2.10"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37903.json"},{"type":"ADVISORY","url":"https://github.com/mastodon/mastodon/security/advisories/GHSA-xjvf-fm67-4qc3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37903"},{"type":"FIX","url":"https://github.com/mastodon/mastodon/commit/a1c7aae28aecf06659c5b18cfa131b37cd1512a3"},{"type":"FIX","url":"https://github.com/mastodon/mastodon/commit/d4bf22b632ea8b1174375c4966a6768ab66393b6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mastodon/mastodon","events":[{"introduced":"50ce347ef96690767b21ee01d6a785166c583b6b"},{"fixed":"ff90ebffaa80bb48d12a838d9a4f82fa7edb602b"}],"database_specific":{"versions":[{"introduced":"2.6.0"},{"fixed":"4.1.18"}]}},{"type":"GIT","repo":"https://github.com/mastodon/mastodon","events":[{"introduced":"4fcc026f0f1b12a9de21a3af33375a9c8867dd55"},{"fixed":"a5b4a2b7e71aedd2f04bc7a90f79dfe234fa7f89"}],"database_specific":{"versions":[{"introduced":"4.2.0"},{"fixed":"4.2.10"}]}}],"versions":["v2.6.0","v2.6.1","v2.7.0","v2.7.0rc1","v2.7.0rc2","v2.7.0rc3","v2.7.1","v2.8.0","v2.8.0rc1","v2.8.0rc2","v2.8.0rc3","v2.8.1","v2.8.2","v2.9.0","v2.9.0rc1","v2.9.0rc2","v2.9.1","v2.9.2","v3.0.0","v3.0.0rc1","v3.0.0rc2","v3.0.0rc3","v3.0.1","v3.1.0","v3.1.0rc1","v3.1.0rc2","v3.1.1","v3.1.2","v3.1.3","v3.1.4","v3.2.0","v3.2.0rc1","v3.2.0rc2","v3.3.0","v3.3.0rc1","v3.3.0rc2","v3.3.0rc3","v3.4.0","v3.4.0rc1","v3.4.0rc2","v3.4.1","v3.5.0","v3.5.0rc1","v3.5.0rc2","v3.5.0rc3","v3.5.1","v3.5.2","v3.5.3","v4.0.0","v4.0.0rc1","v4.0.0rc2","v4.0.0rc3","v4.0.0rc4","v4.0.1","v4.0.2","v4.1.0","v4.1.0rc1","v4.1.0rc2","v4.1.0rc3","v4.1.1","v4.1.10","v4.1.11","v4.1.12","v4.1.13","v4.1.14","v4.1.15","v4.1.16","v4.1.17","v4.1.2","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.1.7","v4.1.8","v4.1.9","v4.2.0","v4.2.1","v4.2.2","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v4.2.7","v4.2.8","v4.2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37903.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/tootsuite/mastodon","events":[{"introduced":"50ce347ef96690767b21ee01d6a785166c583b6b"},{"fixed":"ff90ebffaa80bb48d12a838d9a4f82fa7edb602b"},{"introduced":"4fcc026f0f1b12a9de21a3af33375a9c8867dd55"},{"fixed":"a5b4a2b7e71aedd2f04bc7a90f79dfe234fa7f89"}],"database_specific":{"versions":[{"introduced":"2.6.0"},{"fixed":"4.1.18"},{"introduced":"4.2.0"},{"fixed":"4.2.10"}]}}],"versions":["v2.6.0","v2.6.1","v2.7.0","v2.7.0rc1","v2.7.0rc2","v2.7.0rc3","v2.7.1","v2.8.0","v2.8.0rc1","v2.8.0rc2","v2.8.0rc3","v2.8.1","v2.8.2","v2.9.0","v2.9.0rc1","v2.9.0rc2","v2.9.1","v2.9.2","v3.0.0","v3.0.0rc1","v3.0.0rc2","v3.0.0rc3","v3.0.1","v3.1.0","v3.1.0rc1","v3.1.0rc2","v3.1.1","v3.1.2","v3.1.3","v3.1.4","v3.2.0","v3.2.0rc1","v3.2.0rc2","v3.3.0","v3.3.0rc1","v3.3.0rc2","v3.3.0rc3","v3.4.0","v3.4.0rc1","v3.4.0rc2","v3.4.1","v3.5.0","v3.5.0rc1","v3.5.0rc2","v3.5.0rc3","v3.5.1","v3.5.2","v3.5.3","v4.0.0","v4.0.0rc1","v4.0.0rc2","v4.0.0rc3","v4.0.0rc4","v4.0.1","v4.0.2","v4.1.0","v4.1.0rc1","v4.1.0rc2","v4.1.0rc3","v4.1.1","v4.1.10","v4.1.11","v4.1.12","v4.1.13","v4.1.14","v4.1.15","v4.1.16","v4.1.17","v4.1.2","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.1.7","v4.1.8","v4.1.9","v4.2.0","v4.2.1","v4.2.2","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v4.2.7","v4.2.8","v4.2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37903.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}]}