Detections
Analytics
Mastodon 4.0.x < 4.0.4 LDAP injection
medium Web App Scanning Plugin ID 114494
Language:
Synopsis
Mastodon 4.0.x < 4.0.4 LDAP injectionDescription
According to its self-reported version number, the version of Mastodon running on the remote host is 2.5.0 prior to 3.5.8 or 4.0.x prior to 4.0.4 or 4.1.x prior to 4.1.2. Therefore, it may be affected by a blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database.Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Mastodon version 4.0.4 or later.See Also
https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv
Plugin Details
Severity: Medium
ID: 114494
Type: remote
Family: Component Vulnerability
Published: 11/5/2024
Updated: 11/5/2024
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N
CVSS Score Source: CVE-2023-28853
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score Source: CVE-2023-28853
Vulnerability Information
CPE: cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 4/4/2024
Vulnerability Publication Date: 4/4/2024
Reference Information
CVE: CVE-2023-28853
OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6
WASC: Improper Input Handling, LDAP Injection
CAPEC: 10, 101, 108, 120, 13, 135, 136, 14, 24, 250, 267, 273, 28, 3, 34, 42, 43, 45, 46, 47, 51, 52, 53, 6, 64, 67, 7, 71, 72, 76, 78, 79, 8, 80, 83, 84, 9
DISA STIG: APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10
OWASP API: 2019-API7, 2019-API8, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.5, 4.0.2-5.3.7