CVE-2024-25618

Exploit

EPSS 0.38%
Veröffentlicht 14.02.2024 21:15:08
Zuletzt bearbeitet 18.12.2024 22:27:39
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Joinmastodon ≫ Mastodon Version < 3.5.18

Joinmastodon ≫ Mastodon Version >= 4.0.0 < 4.0.14

Joinmastodon ≫ Mastodon Version >= 4.1.0 < 4.1.14

Joinmastodon ≫ Mastodon Version >= 4.2.0 < 4.2.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.59

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	4.2	1.6	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15

Patch

https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-25618

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-25618

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-25618

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-25618