Security News > 2024 > February > Critical vulnerability in Mastodon is pounced upon by fast-acting admins
Mastodon has called admins to action following the disclosure of a critical vulnerability affecting the decentralized social network favored by erstwhile Twitter lovers.
"Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.".
"Each instance of Mastodon is hosted separately from all others, and while there are common links to allow moving between instances, they are separate, owned, and operated by different people, with different teams managing the security of each. For this reason, each instance of Mastodon requires an economy-of-scale to support its operations, including people to manage infrastructure and security engineering."
"There aren't enough details here yet to say exactly why Mastodon is vulnerable and other platforms aren't but different source code repositories won't share vulnerabilities unless there is an inherent flaw in one of the open-source packages that are shared between both products."
The good news for Mastodon users is that more than half of all active servers have already upgraded to the latest version in the space of a day, according to data from fediverse network stat collector FediDB. Such a fast patch rate was likely the product of how well the Mastodon community publicized the matter.
A quick scan of the security advisory history at Mastodon shows this isn't the only security issue the platform has had to patch over the past year, with two critical bugs, CVE-2023-36460 and CVE-2023-36459, emerging in July 2023.
News URL
Related news
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Fortinet Rolls Out Critical Security Patches for FortiClientLinux Vulnerability (source)
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)
- PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-07-06 | CVE-2023-36460 | Path Traversal vulnerability in Joinmastodon Mastodon Mastodon is a free, open-source social network server based on ActivityPub. | 9.9 |
2023-07-06 | CVE-2023-36459 | Cross-site Scripting vulnerability in Joinmastodon Mastodon Mastodon is a free, open-source social network server based on ActivityPub. | 6.1 |