{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-25619", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-08T22:26:33.511Z", "datePublished": "2024-02-14T20:50:10.809Z", "dateUpdated": "2024-08-01T23:44:09.688Z"}, "containers": {"cna": {"title": "Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed in mastodon", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-672", "lang": "en", "description": "CWE-672: Operation on a Resource after Expiration or Release", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x"}, {"name": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": ">= 4.2.6, < 4.2.6", "status": "affected"}, {"version": ">= 4.1.0, < 4.1.14", "status": "affected"}, {"version": ">= 4.0.0, < 4.0.14", "status": "affected"}, {"version": "< 3.5.18", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-14T20:50:10.809Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn't actually fire, since `delete_all` doesn't trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application's Access Tokens are being \"killed\". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability."}], "source": {"advisory": "GHSA-7w3c-p9j8-mq3x", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25619", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-15T20:06:57.515329Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:34:59.800Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:44:09.688Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x"}, {"name": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x", "name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71", "name": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:44:09.688Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25619", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-15T20:06:57.515329Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:10.532Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Destroying OAuth Applications doesn't notify Streaming of Access Tokens being destroyed in mastodon", "source": {"advisory": "GHSA-7w3c-p9j8-mq3x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"status": "affected", "version": ">= 4.2.6, < 4.2.6"}, {"status": "affected", "version": ">= 4.1.0, < 4.1.14"}, {"status": "affected", "version": ">= 4.0.0, < 4.0.14"}, {"status": "affected", "version": "< 3.5.18"}]}], "references": [{"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x", "name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71", "name": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn't actually fire, since `delete_all` doesn't trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application's Access Tokens are being \"killed\". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-672", "description": "CWE-672: Operation on a Resource after Expiration or Release"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-14T20:50:10.809Z"}}}, "cveMetadata": {"cveId": "CVE-2024-25619", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:44:09.688Z", "dateReserved": "2024-02-08T22:26:33.511Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-14T20:50:10.809Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub. When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed. Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a `dependent: delete_all` configuration, which means the `after_commit` callback setup on `AccessTokenExtension` didn't actually fire, since `delete_all` doesn't trigger ActiveRecord callbacks. To mitigate, we need to add a `before_destroy` callback to `ApplicationExtension` which announces to streaming that all the Application's Access Tokens are being \"killed\". Impact should be negligible given the affected application had to be owned by the user. None the less this issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workaround for this vulnerability."}, {"lang": "es", "value": "Mastodon es un servidor de red social gratuito y de c\u00f3digo abierto basado en ActivityPub. Cuando se destruye una aplicaci\u00f3n OAuth, no se informaba al servidor de transmisi\u00f3n que los tokens de acceso tambi\u00e9n se hab\u00edan destruido, lo que podr\u00eda haber planteado riesgos de seguridad para los usuarios al permitir que una aplicaci\u00f3n continuara escuchando la transmisi\u00f3n despu\u00e9s de que la aplicaci\u00f3n hubiera sido destruida. Esencialmente, esto se reduce al hecho de que cuando Doorkeeper configura la relaci\u00f3n entre las aplicaciones y los tokens de acceso, utiliza una configuraci\u00f3n `dependent: delete_all`, lo que significa que la configuraci\u00f3n de devoluci\u00f3n de llamada `after_commit` en `AccessTokenExtension` en realidad no se activ\u00f3, ya que ` delete_all` no activa devoluciones de llamada de ActiveRecord. Para mitigar, necesitamos agregar una devoluci\u00f3n de llamada `before_destroy` a `ApplicationExtension` que anuncia a la transmisi\u00f3n que todos los tokens de acceso de la aplicaci\u00f3n est\u00e1n siendo \"eliminados\". El impacto deber\u00eda ser insignificante dado que la aplicaci\u00f3n afectada ten\u00eda que ser propiedad del usuario. No obstante, este problema se ha solucionado en las versiones 4.2.6, 4.1.14, 4.0.14 y 3.5.18. Se recomienda a los usuarios que actualicen. No se conocen workaround para esta vulnerabilidad."}], "id": "CVE-2024-25619", "lastModified": "2024-02-15T06:23:39.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-02-14T21:15:08.620", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mastodon/mastodon/commit/68eaa804c9bafdc5f798e114e9ba00161425dd71"}, {"source": "security-advisories@github.com", "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}, {"lang": "en", "value": "CWE-672"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}