SB2024060333 - Multiple vulnerabilities in Mastodon

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2023-49952)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper restriction of excessive authentication attempts within X-Forwarded-For header. A remote attacker can guess valid usernames and corresponding passwords.

2) Security features bypass (CVE-ID: N/A)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to private mention filtering bypass. A remote attacker can spam or harassment people with whom they have no follow relationships.

3) Security features bypass (CVE-ID: N/A)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing rate-limit to password change endpoint. A remote user can gain access to the victim's password and change it.

Remediation

Install update from vendor's website.

References

• https://github.com/mastodon/mastodon/security/advisories/GHSA-c2r5-cfqr-c553
• https://github.com/mastodon/mastodon/security/advisories/GHSA-5fq7-3p3j-9vrf
• https://github.com/mastodon/mastodon/security/advisories/GHSA-q3rg-xx5v-4mxh