CVE-2023-28853

medium

Description

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.

References

https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv

https://github.com/mastodon/mastodon/releases/tag/v4.1.2

https://github.com/mastodon/mastodon/releases/tag/v4.0.4

https://github.com/mastodon/mastodon/releases/tag/v3.5.8

https://github.com/mastodon/mastodon/pull/24379

https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414

https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14

http://www.openwall.com/lists/oss-security/2023/07/06/6

Details

Source: Mitre, NVD

Published: 2023-04-04

Updated: 2023-07-07

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium