CVE-2023-28853
published 2023-04-04CVE-2023-28853: Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0…
PriorityP342medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
1.28%
66.4th percentile
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joinmastodon | mastodon | >= 2.5.0 < 3.5.8 | 3.5.8 |
| joinmastodon | mastodon | >= 4.0.0 < 4.0.4 | 4.0.4 |
| joinmastodon | mastodon | >= 4.1.0 < 4.1.2 | 4.1.2 |
| mastodon | mastodon | — | — |
| mastodon | mastodon | — | — |
| mastodon | mastodon | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2023/07/06/6https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414https://github.com/mastodon/mastodon/pull/24379https://github.com/mastodon/mastodon/releases/tag/v3.5.8https://github.com/mastodon/mastodon/releases/tag/v4.0.4https://github.com/mastodon/mastodon/releases/tag/v4.1.2https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqvhttp://www.openwall.com/lists/oss-security/2023/07/06/6https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414https://github.com/mastodon/mastodon/pull/24379https://github.com/mastodon/mastodon/releases/tag/v3.5.8https://github.com/mastodon/mastodon/releases/tag/v4.0.4https://github.com/mastodon/mastodon/releases/tag/v4.1.2https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv
2023-04-04
Published