PRIOn knowledge basePRION:CVE-2023-28853

HistoryApr 04, 2023 - 10:15 p.m.

Design/Logic Flaw

2023-04-0422:15:00

PRIOn knowledge base

www.prio-n.com

mastodon

ldap injection

authentication

activitypub

open-source server

security flaw

version 3.5.8

version 4.0.4

version 4.1.2

nvd

6.4 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

67.9%

JSON

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.

CPENameOperatorVersion
mastodonge4.1.0
mastodonlt4.1.2
mastodonge4.0.0
mastodonlt4.0.4
mastodonge2.5.0
mastodonlt3.5.8

Name	Operator	Version
mastodon	ge	4.1.0
mastodon	lt	4.1.2
mastodon	ge	4.0.0
mastodon	lt	4.0.4
mastodon	ge	2.5.0
mastodon	lt	3.5.8

References

www.openwall.com/lists/oss-security/2023/07/06/6

github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb

github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb

github.com/mastodon/mastodon/pull/24379

github.com/mastodon/mastodon/releases/tag/v3.5.8

github.com/mastodon/mastodon/releases/tag/v4.0.4

github.com/mastodon/mastodon/releases/tag/v4.1.2

github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv