CVE-2024-23832
CRITICALMastodon < 3.5.17 - Authentication Bypass by Spoofing
Title source: ruleDescription
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
References (3)
Core 3
Core References
Mailing List, Patch
http://www.openwall.com/lists/oss-security/2024/02/02/4
Vendor Advisory x_refsource_confirm
https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw
Scores
CVSS v3
9.4
EPSS
0.0176
EPSS Percentile
82.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-290
Status
published
Products (1)
joinmastodon/mastodon
< 3.5.17
Published
Feb 01, 2024
Tracked Since
Feb 18, 2026