CVE-2023-28853 - OpenCVE

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Joinmastodon	Mastodon

Configuration 1 [-]

OR	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/07/06/6
https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14
https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414
https://github.com/mastodon/mastodon/pull/24379
https://github.com/mastodon/mastodon/releases/tag/v3.5.8
https://github.com/mastodon/mastodon/releases/tag/v4.0.4
https://github.com/mastodon/mastodon/releases/tag/v4.1.2
https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-04T21:14:53.350Z

Updated: 2024-08-02T13:51:38.946Z

Reserved: 2023-03-24T16:25:34.467Z

Link: CVE-2023-28853

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-04-04T22:15:08.087

Modified: 2023-07-07T00:15:09.367

Link: CVE-2023-28853

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28853", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-24T16:25:34.467Z", "datePublished": "2023-04-04T21:14:53.350Z", "dateUpdated": "2024-08-02T13:51:38.946Z"}, "containers": {"cna": {"title": "Mastodon's blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database", "problemTypes": [{"descriptions": [{"cweId": "CWE-90", "lang": "en", "description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"}, {"name": "https://github.com/mastodon/mastodon/pull/24379", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/pull/24379"}, {"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"}, {"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": ">= 2.5.0, < 3.5.8", "status": "affected"}, {"version": ">= 4.0.0, < 4.0.4", "status": "affected"}, {"version": ">= 4.1.0, < 4.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-04T21:14:53.350Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2."}], "source": {"advisory": "GHSA-38g9-pfm9-gfqv", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:51:38.946Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"}, {"name": "https://github.com/mastodon/mastodon/pull/24379", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/pull/24379"}, {"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"}, {"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "7719057A-5D61-40B5-9F17-BAE36C43C90A", "versionEndExcluding": "3.5.8", "versionStartIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAB7A197-9D83-4A92-BF6C-A9DBA50E1DDA", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3BC1F07-C0F6-42E6-B967-F1A536F84767", "versionEndExcluding": "4.1.2", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2."}], "id": "CVE-2023-28853", "lastModified": "2023-07-07T00:15:09.367", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-04-04T22:15:08.087", "references": [{"source": "security-advisories@github.com", "url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mastodon/mastodon/pull/24379"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-90"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Secondary"}]}