CVE-2024-23832: Mastodon Remote user impersonation and takeover
First published: Thu Feb 01 2024(Updated: )
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mastodon | <3.5.17 | |
| Mastodon | >=4.0.0<4.0.13 | |
| Mastodon | >=4.1.0<4.1.13 | |
| Mastodon | >=4.2.0<4.2.5 | |
| Mastodon | =3.5.17 | |
| Mastodon | =4.0.13 | |
| Mastodon | =4.1.13 | |
| Mastodon | =4.2.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw
- https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958
- http://www.openwall.com/lists/oss-security/2024/02/02/4
- https://www.theregister.com/2024/02/02/critical_vulnerability_in_mastodon_is/
- https://www.bleepingcomputer.com/news/security/mastodon-vulnerability-allows-attackers-to-take-over-accounts/
Frequently Asked Questions
What is the severity of CVE-2024-23832?
CVE-2024-23832 is considered a high severity vulnerability due to its potential for account impersonation and takeover.
How do I fix CVE-2024-23832?
To fix CVE-2024-23832, users should update their Mastodon installation to version 3.5.17 or later.
What versions of Mastodon are affected by CVE-2024-23832?
All versions of Mastodon prior to 3.5.17, including those between 4.0.0 and 4.2.5, are affected by CVE-2024-23832.
Can CVE-2024-23832 be exploited remotely?
Yes, CVE-2024-23832 can be exploited remotely by attackers to impersonate and take over accounts.
What type of vulnerability is CVE-2024-23832 classified as?
CVE-2024-23832 is classified as an authentication vulnerability due to insufficient origin validation.
- agent/weakness
- agent/title
- agent/description
- agent/type
- agent/first-publish-date
- agent/author
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-23832
- collector/the-register
- source/The Register
- alias/CVE-2023-36460
- alias/CVE-2023-36459
- collector/bleeping-computer
- source/BleepingComputer
- agent/references
- agent/severity
- agent/remedy
- agent/softwarecombine
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/news-ai
- vendor/joinmastodon
- canonical/mastodon
- version/mastodon/4.0.0
- version/mastodon/4.1.0
- version/mastodon/4.2.0
- vendor/mastodon
- version/mastodon/3.5.17
- version/mastodon/4.0.13
- version/mastodon/4.1.13
- version/mastodon/4.2.5