CVE-2024-23832

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/02/02/4	Mailing List Patch
https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958	Patch
https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::

History

09 Feb 2024, 20:21

Type	Values Removed	Values Added
References	~~() http://www.openwall.com/lists/oss-security/2024/02/02/4 -~~	() http://www.openwall.com/lists/oss-security/2024/02/02/4 - Mailing List, Patch
References	~~() https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958 -~~	() https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958 - Patch
References	~~() https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw -~~	() https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~9.4~~	v2 : unknown v3 : 9.8
First Time		Joinmastodon mastodon Joinmastodon
CPE		cpe:2.3:a:joinmastodon:mastodon::::::::

01 Feb 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-01 17:15

Updated : 2024-02-09 20:21

NVD link : CVE-2024-23832

Mitre link : CVE-2024-23832

CVE.ORG link : CVE-2024-23832

JSON object : View

Products Affected

joinmastodon

mastodon

CWE

CWE-290

Authentication Bypass by Spoofing

{"id": "CVE-2024-23832", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 3.9}]}, "published": "2024-02-01T17:15:10.677", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/02/02/4", "tags": ["Mailing List", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5."}, {"lang": "es", "value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. Mastodon permite la configuraci\u00f3n de LDAP para la autenticaci\u00f3n. Debido a una validaci\u00f3n de origen insuficiente en todos los Mastodon, los atacantes pueden hacerse pasar por cualquier cuenta remota y apoderarse de ella. Todas las versiones de Mastodon anteriores a la 3.5.17 son vulnerables, as\u00ed como las versiones 4.0.x anteriores a la 4.0.13, la versi\u00f3n 4.1.x anteriores a la 4.1.13 y las versiones 4.2.x anteriores a la 4.2.5."}], "lastModified": "2024-02-09T20:21:45.317", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B3D78571-45F8-4E22-80CB-67190F74AEDA", "versionEndExcluding": "3.5.17"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4FE237D-083C-4D44-BEFC-AFE77F1A9B94", "versionEndExcluding": "4.0.13", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80BD3026-2541-470E-85F2-61ACFD318C9C", "versionEndExcluding": "4.1.13", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC484C16-EA4D-48EC-A03D-1D8DCB89AAB8", "versionEndExcluding": "4.2.5", "versionStartIncluding": "4.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}