Possible account takeover vulnerability in Mastodon due to external authentication providers
CVE-2024-25618

4.2MEDIUM

Key Information:

Vendor: Mastodon
Status: Mastodon
Vendor: CVE Published:; 14 February 2024

What is CVE-2024-25618?

Mastodon, a free and open-source social networking server based on the ActivityPub protocol, exposes a vulnerability related to its authentication process. When integrating with external authentication providers such as CAS, SAML, or OIDC, Mastodon permits the formation of new identities linked to existing users sharing the same email address. This configuration could facilitate unauthorized access if an external provider allows users to alter their registered email addresses. In such scenarios, a malicious actor might hijack an account upon the first login using an external provider, as the matching is conducted solely on the email address. The risk is particularly pronounced when using popular OIDC providers that may easily permit unverified email modifications, such as Microsoft Azure. It is recommended that users immediately upgrade to the patched versions, as outlined, to mitigate this emerging security concern.

Affected Version(s)

mastodon >= 4.2.0, < 4.2.6 < 4.2.0, 4.2.6

mastodon >= 4.1.0, < 4.1.14 < 4.1.0, 4.1.14

mastodon >= 4.0.0, < 4.0.14 < 4.0.0, 4.0.14

References

https://github.com/mastodon/mastodon/security/advisories/...

x_refsource_CONFIRM

https://github.com/mastodon/mastodon/commit/b31af34c97163...

x_refsource_MISC

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 14, 2024
Vulnerability Reserved
Feb 8, 2024

JSON