CVE-2023-28853 - Vulnerability Details - OpenCVE

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Joinmastodon	Mastodon

Configuration 1 [-]

OR	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::
	cpe:2.3:a:joinmastodon:mastodon::::::::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/07/06/6
https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14
https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414
https://github.com/mastodon/mastodon/pull/24379
https://github.com/mastodon/mastodon/releases/tag/v3.5.8
https://github.com/mastodon/mastodon/releases/tag/v4.0.4
https://github.com/mastodon/mastodon/releases/tag/v4.1.2
https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv

History

Mon, 10 Feb 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-04T21:14:53.350Z

Updated: 2025-02-13T16:48:56.318Z

Reserved: 2023-03-24T16:25:34.467Z

Link: CVE-2023-28853

Vulnrichment

Updated: 2024-08-02T13:51:38.946Z

NVD

Status : Modified

Published: 2023-04-04T22:15:08.087

Modified: 2024-11-21T07:56:09.700

Link: CVE-2023-28853

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28853", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-24T16:25:34.467Z", "datePublished": "2023-04-04T21:14:53.350Z", "dateUpdated": "2025-02-13T16:48:56.318Z"}, "containers": {"cna": {"title": "Mastodon's blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database", "problemTypes": [{"descriptions": [{"cweId": "CWE-90", "lang": "en", "description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"}, {"name": "https://github.com/mastodon/mastodon/pull/24379", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/pull/24379"}, {"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"}, {"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"version": ">= 2.5.0, < 3.5.8", "status": "affected"}, {"version": ">= 4.0.0, < 4.0.4", "status": "affected"}, {"version": ">= 4.1.0, < 4.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-06T23:06:12.881Z"}, "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2."}], "source": {"advisory": "GHSA-38g9-pfm9-gfqv", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:51:38.946Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"}, {"name": "https://github.com/mastodon/mastodon/pull/24379", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/pull/24379"}, {"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"}, {"name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"}, {"name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-10T21:30:26.368909Z", "id": "CVE-2023-28853", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-10T21:30:30.843Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv", "name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/pull/24379", "name": "https://github.com/mastodon/mastodon/pull/24379", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14", "name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414", "name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8", "name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:51:38.946Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-28853", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-10T21:30:26.368909Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-10T21:30:20.764Z"}}], "cna": {"title": "Mastodon's blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database", "source": {"advisory": "GHSA-38g9-pfm9-gfqv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mastodon", "product": "mastodon", "versions": [{"status": "affected", "version": ">= 2.5.0, < 3.5.8"}, {"status": "affected", "version": ">= 4.0.0, < 4.0.4"}, {"status": "affected", "version": ">= 4.1.0, < 4.1.2"}]}], "references": [{"url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv", "name": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mastodon/mastodon/pull/24379", "name": "https://github.com/mastodon/mastodon/pull/24379", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14", "name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414", "name": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8", "name": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2", "name": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2", "tags": ["x_refsource_MISC"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-90", "description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-04T21:14:53.350Z"}}}, "cveMetadata": {"cveId": "CVE-2023-28853", "state": "PUBLISHED", "dateUpdated": "2025-02-10T21:30:30.843Z", "dateReserved": "2023-03-24T16:25:34.467Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-04-04T21:14:53.350Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "7719057A-5D61-40B5-9F17-BAE36C43C90A", "versionEndExcluding": "3.5.8", "versionStartIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAB7A197-9D83-4A92-BF6C-A9DBA50E1DDA", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:joinmastodon:mastodon:*:*:*:*:*:*:*:*", "matchCriteriaId": "F3BC1F07-C0F6-42E6-B967-F1A536F84767", "versionEndExcluding": "4.1.2", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2."}], "id": "CVE-2023-28853", "lastModified": "2024-11-21T07:56:09.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-04T22:15:08.087", "references": [{"source": "security-advisories@github.com", "url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mastodon/mastodon/pull/24379"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/07/06/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/app/models/concerns/ldap_authenticable.rb#L7-L14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/mastodon/mastodon/blob/94cbd808b5b3e7999c7e77dc724b7e8c9dd2bdec/config/initializers/devise.rb#L398-L414"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/mastodon/mastodon/pull/24379"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/mastodon/mastodon/releases/tag/v3.5.8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.0.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/mastodon/mastodon/releases/tag/v4.1.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/mastodon/mastodon/security/advisories/GHSA-38g9-pfm9-gfqv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-90"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Secondary"}]}