Developers close four security holes in Mastodon software. Two of them are critical and allow malicious code to be smuggled in and executed. Ultimately, attackers can hack Mastodon’s servers.
Mastodon: critical gaps
Attackers can The code carefully designed media files to process this content It causes random files to be created anywhere in the file system that mastodon can access. As a result, they can either inject their own code or trigger a denial of service (CVE-2023-36460, CVSS 9.9risk”very important“). In addition to malicious actors With Ompid data has been intentionally manipulated Bypass HTML filtering by Mastodon and inject arbitrary HTML into embedded preview cards. This enables cross-site scripting attacks, where the injected code is executed in the user’s browser by viewing the preview card (CVE-2023-36459, CVSS) 9.3And very important).
For outgoing HTTP requests, Mastodon sets a timeout value for individual reads. a A malicious server can slow down responses Extends a random period with a “slow” type attack. This causes a denial of service (CVE-2023-36461, CVSS 7.5And high). Finally, attackers can manipulate Verified Profile links so that parts of them are not displayed. This can make the link appear to go somewhere else entirely (CVE-2023-36462, CVSS 5.4And middle).
Mastodon 4.1.3, 4.0.5, and 3.5.9 fix the security vulnerabilities. Mastodon instance operators should quickly update software to reduce the attack surface. She is about to enter GitHub project by Mastodon ready.
A new social network, Themes, has been available since Thursday of this week. You should be connected to Fediverse in the future. Users should be able to move between threads and mastodon states and take their followers with them.
“Social media evangelist. Baconaholic. Devoted reader. Twitter scholar. Avid coffee trailblazer.”