CVE-2023-28853

HIGH

Mastodon <3.5.8, <4.0.4, <4.1.2 - SQL Injection

Title source: llm

Description

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.

References (8)

[Mailing List] http://www.openwall.com/lists/oss-security/2023/07/06/6

[Exploit, Vendor Advisory] https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv

[Patch] https://github.com/mastodon/mastodon/pull/24379

[Product] https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14

[Product] https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414

View Writeup ZIP pw:eip

[Release Notes] https://github.com/mastodon/mastodon/releases/tag/v3.5.8

[Release Notes] https://github.com/mastodon/mastodon/releases/tag/v4.0.4

[Release Notes] https://github.com/mastodon/mastodon/releases/tag/v4.1.2

Scores

CVSS v3 7.7

EPSS 0.0140

EPSS Percentile 80.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-90 CWE-74

Status published

Products (1)

joinmastodon/mastodon 2.5.0 - 3.5.8

Published Apr 04, 2023

Tracked Since Feb 18, 2026