cbcvebase.
CVE-2023-28853
published 2023-04-04

CVE-2023-28853: Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0…

PriorityP342medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
1.28%
66.4th percentile
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.

Affected

6 ranges
VendorProductVersion rangeFixed in
joinmastodonmastodon>= 2.5.0 < 3.5.83.5.8
joinmastodonmastodon>= 4.0.0 < 4.0.44.0.4
joinmastodonmastodon>= 4.1.0 < 4.1.24.1.2
mastodonmastodon
mastodonmastodon
mastodonmastodon
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.