CVE-2023-28853

Published Apr 4, 2023

Last updated a year ago

Overview

Description: Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.
Source: security-advisories@github.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-90
nvd@nist.gov: CWE-74

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7719057A-5D61-40B5-9F17-BAE36C43C90A",
            "versionEndExcluding": "3.5.8",
            "versionStartIncluding": "2.5.0"
          },
          {
            "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EAB7A197-9D83-4A92-BF6C-A9DBA50E1DDA",
            "versionEndExcluding": "4.0.4",
            "versionStartIncluding": "4.0.0"
          },
          {
            "criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F3BC1F07-C0F6-42E6-B967-F1A536F84767",
            "versionEndExcluding": "4.1.2",
            "versionStartIncluding": "4.1.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References