Description

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.

Classification

CVE ID: CVE-2024-23832

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.4

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Affected Products

Vendor: mastodon

Product: mastodon

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.16% (probability of being exploited)

EPSS Percentile: 54.44% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw
https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958
http://www.openwall.com/lists/oss-security/2024/02/02/4

Timeline