Shodan
Vulnerabilities
Vulnerable Software
Joinmastodon:  >> Mastodon  >> 2.6.1  Security Vulnerabilities
CVE-2023-36461
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-07-06
CVE-2023-28853
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.
CVSS Score
7.7
EPSS Score
0.004
Published
2023-04-04
CVE-2022-46405
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-12-04
CVE-2022-2166
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
CVSS Score
9.8
EPSS Score
0.007
Published
2022-11-16
CVE-2022-31263
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-05-24
CVE-2022-24307
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
CVSS Score
9.8
EPSS Score
0.003
Published
2022-02-03
CVE-2022-0432
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
CVSS Score
7.4
EPSS Score
0.303
Published
2022-02-02
CVE-2018-21018
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVSS Score
9.8
EPSS Score
0.016
Published
2019-09-22


Products
Pricing
Contact Us

Shodan ® - All rights reserved