Mastodon's blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database
CVE-2023-28853

7.7HIGH

Key Information:

Vendor

Mastodon

Status
Mastodon
Vendor
CVE Published:
4 April 2023

What is CVE-2023-28853?

The Mastodon social network server allows insecure LDAP configuration for user authentication. Versions from 2.5.0 until 3.5.8, 4.0.4, and 4.1.2 are susceptible to LDAP injection attacks. Under this vulnerability, an attacker can manipulate the LDAP query made during login, potentially leading to the exposure of sensitive attributes from the LDAP database. Users are strongly encouraged to upgrade to the latest versions to mitigate the risk.

Affected Version(s)

mastodon >= 2.5.0, < 3.5.8 < 2.5.0, 3.5.8

mastodon >= 4.0.0, < 4.0.4 < 4.0.0, 4.0.4

mastodon >= 4.1.0, < 4.1.2 < 4.1.0, 4.1.2

References

https://github.com/mastodon/mastodon/security/advisories/...
x_refsource_CONFIRM
https://github.com/mastodon/mastodon/pull/24379
x_refsource_MISC
https://github.com/mastodon/mastodon/blob/94cbd808b5b3e79...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.