In this week’s digest, we discuss two critical vulnerabilities in Mastodon.
Mastodon Security Advisory
Background
Mastodon is a free, open source and widely used decentralized social network with microblogging capabilities. It is considered an open source and decentralized alternative to Twitter. Mastodon runs via independently managed nodes hosted by various entities on cloud hosting platforms such as Linode.
Vulnerability
Mastodon recently released a new version earlier this week that fixes multiple vulnerabilities, including two critical ones: CVE-2023-36460 and CVE-2023-36459.
CVE-2023-36460: arbitrary file creation with media attachments
This vulnerability is tracked as CVE-2023-36460 and is explained below GHSA-9928allows an attacker to create and overwrite files anywhere an installed Mastodon instance can access.
Vulnerable versions of Mastodon (versions 3.5.0 and later, and versions 3.5.9, 4.0.5, and earlier than 4.1.3) are unable to properly sanitize and neutralize special elements in pathnames, allowing external input to construct the pathname. This external input is intended to identify files or directories under a restricted directory. However, it is not restricted or sanitized to resolve only within this specified directory, allowing access and/or writing outside of the restricted directory via directory traversal. Such exploits can have devastating consequences, ranging from denial of service to remote code execution on Mastodon servers.
Because this vulnerability can be exploited by anyone who can post to the Mastodon server, the impact of this vulnerability is significant and is rated Critical. Additionally, Mastodon is a social media platform and has a large number of users who can post and execute exploits.
CVE-2023-36459: XSS with oEmbed preview cards
This vulnerability is tracked as CVE-2023-36459 and is explained below GHSA-ccm4is a cross-site scripting (XSS) vulnerability that allows an attacker to craft Mastodon oEmbed data to include arbitrary HTML in the oEmbed preview card, resulting in web browsers using untrusted source code. There are various risks associated with users operating the site.
Vulnerable versions of Mastodon (versions 1.3 and later, versions 3.5.9, 4.0.5, and earlier than 4.1.3) allow attackers to use oEmbed data to bypass the HTML sanitization process. These versions of her Mastodon do not correctly invalidate user-controllable inputs in the oEmbed preview card before being placed in the output as part of her web page served to other users. Thus, attacker-controlled HTML is presented to the user. This exploit introduces a vector of XSS payloads that, upon user interaction, can lead to the execution of untrusted malicious code on the user’s browser or machine.
This vulnerability is of high impact and severity because anyone who can create oEmbed data on the Mastodon server can exploit this vulnerability. Additionally, all members of the infected server are susceptible to attacks.
relief
- Update your hosted Mastodon instance to version 4.1.3, 4.0.5, or 3.5.9.
- Make sure the Mastodon server you are accessing is the latest version
Note: Mastodon can be hosted on Linodes by manual installation, or One-click marketplace app. However, these instances are not managed or maintained by Linode. Linode users are obligated to understand the risks and keep their installed software up to date. Learn more about. Mastodon Marketplace App Deployment Guide.