CVE-2023-28853: Mastodon's blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database
First published: Tue Apr 04 2023(Updated: )
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mastodon | >=2.5.0<3.5.8 | |
| Mastodon | >=4.0.0<4.0.4 | |
| Mastodon | >=4.1.0<4.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2023/07/06/6
- https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14
- https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414
- https://github.com/mastodon/mastodon/pull/24379
- https://github.com/mastodon/mastodon/releases/tag/v3.5.8
- https://github.com/mastodon/mastodon/releases/tag/v4.0.4
- https://github.com/mastodon/mastodon/releases/tag/v4.1.2
- https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv
Frequently Asked Questions
What is CVE-2023-28853?
CVE-2023-28853 is a vulnerability in Mastodon, an open-source social network server, that allows LDAP injection attacks during login when LDAP is configured for authentication.
How does the CVE-2023-28853 vulnerability affect Mastodon?
The CVE-2023-28853 vulnerability affects Mastodon versions prior to 3.5.8, 4.0.4, and 4.1.2, allowing attackers to perform LDAP injection attacks during login when LDAP is used for authentication.
What is the severity of CVE-2023-28853?
CVE-2023-28853 has a severity rating of 6.5 (High).
How can the CVE-2023-28853 vulnerability be fixed?
To fix the CVE-2023-28853 vulnerability, it is recommended to update Mastodon to versions 3.5.8, 4.0.4, or 4.1.2, which have addressed the LDAP injection vulnerability.
Where can I find more information about CVE-2023-28853?
You can find more information about CVE-2023-28853 in the following references: [Link 1](http://www.openwall.com/lists/oss-security/2023/07/06/6), [Link 2](https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14), [Link 3](https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414)
- agent/weakness
- agent/references
- agent/type
- agent/softwarecombine
- agent/author
- agent/title
- agent/remedy
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/joinmastodon
- canonical/mastodon
- version/mastodon/2.5.0
- version/mastodon/4.0.0
- version/mastodon/4.1.0