Description
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.
References (8)
Core 8
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv
Patch x_refsource_misc
https://github.com/mastodon/mastodon/pull/24379
Product x_refsource_misc
https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14
Product x_refsource_misc
https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414
Release Notes x_refsource_misc
https://github.com/mastodon/mastodon/releases/tag/v3.5.8
Release Notes x_refsource_misc
https://github.com/mastodon/mastodon/releases/tag/v4.0.4
Release Notes x_refsource_misc
https://github.com/mastodon/mastodon/releases/tag/v4.1.2
Scores
CVSS v3
7.7
EPSS
0.0128
EPSS Percentile
66.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-90
CWE-74
Status
published
Products (1)
joinmastodon/mastodon
2.5.0 - 3.5.8
Published
Apr 04, 2023
Tracked Since
Feb 18, 2026