CVE-2024-23832 requires immediate action from administrators.
Mastodon, a decentralized social network, has uncovered a serious security vulnerability that allows attackers to pretend to be other users and hijack their accounts.
"Due to insufficient verification of origin in all versions of Mastodon, attackers can fake their account under any other one," the brief warning says.
The vulnerability, identified as CVE-2024-23832, has a CVSS score of 9.4 out of a maximum of 10. A cybersecurity researcher under the pseudonym "arcanicanis" was awarded for its detection and notification.
The vulnerability is described as an "origin validation error", which usually allows an attacker to gain access to functionality that should not have been available to them initially.
All versions of Mastodon up to 3.5.17 are vulnerable, as well as versions 4.0. x up to 4.0.13, 4.1. x up to 4.1.13, and 4.2. x up to 4.2.5.
Mastodon said that additional technical details about the vulnerability will be provided only on February 15, 2024, to give administrators enough time to update and prevent the possibility of abuse.
"Any number of details would make creating an exploit very easy," the report says.
The Mastodon platform runs on separate servers (instances), independently managed and maintained by individual administrators who create their own rules and regulations that are followed at the local level.
This also means that each instance has its own code of conduct, usage rules, privacy policies, and content regulation, and requires each administrator to install security updates in a timely manner to protect instances from potential risks.
The threat disclosure comes almost seven months after Mastodon fixed two other critical vulnerabilities (CVE-2023-36460 and 2023-36459) that could have been exploited by attackers to conduct a denial-of-service attack or execute remote code.
Mastodon, a decentralized social network, has uncovered a serious security vulnerability that allows attackers to pretend to be other users and hijack their accounts.
"Due to insufficient verification of origin in all versions of Mastodon, attackers can fake their account under any other one," the brief warning says.
The vulnerability, identified as CVE-2024-23832, has a CVSS score of 9.4 out of a maximum of 10. A cybersecurity researcher under the pseudonym "arcanicanis" was awarded for its detection and notification.
The vulnerability is described as an "origin validation error", which usually allows an attacker to gain access to functionality that should not have been available to them initially.
All versions of Mastodon up to 3.5.17 are vulnerable, as well as versions 4.0. x up to 4.0.13, 4.1. x up to 4.1.13, and 4.2. x up to 4.2.5.
Mastodon said that additional technical details about the vulnerability will be provided only on February 15, 2024, to give administrators enough time to update and prevent the possibility of abuse.
"Any number of details would make creating an exploit very easy," the report says.
The Mastodon platform runs on separate servers (instances), independently managed and maintained by individual administrators who create their own rules and regulations that are followed at the local level.
This also means that each instance has its own code of conduct, usage rules, privacy policies, and content regulation, and requires each administrator to install security updates in a timely manner to protect instances from potential risks.
The threat disclosure comes almost seven months after Mastodon fixed two other critical vulnerabilities (CVE-2023-36460 and 2023-36459) that could have been exploited by attackers to conduct a denial-of-service attack or execute remote code.
