Joinmastodon: >> Mastodon >> 2.7.3 Security Vulnerabilities
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-07-06
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2.
CVSS Score
7.7
EPSS Score
0.004
Published
2023-04-04
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-12-04
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
CVSS Score
9.8
EPSS Score
0.007
Published
2022-11-16
app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-05-24
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
CVSS Score
9.8
EPSS Score
0.003
Published
2022-02-03
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
CVSS Score
7.4
EPSS Score
0.303
Published
2022-02-02
Page 2