Login Sign Up

CVE-2023-28853

7.7 HIGH

📋 TL;DR

This vulnerability allows attackers to perform LDAP injection attacks on Mastodon instances configured with LDAP authentication. By manipulating login queries, attackers can extract arbitrary attributes from the LDAP database, potentially exposing sensitive user information. Affected systems are Mastodon instances running versions 2.5.0 through 3.5.7, 4.0.0 through 4.0.3, and 4.1.0 through 4.1.1 with LDAP authentication enabled.

💻 Affected Systems

Products:
  • Mastodon
Versions: 2.5.0 through 3.5.7, 4.0.0 through 4.0.3, and 4.1.0 through 4.1.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when LDAP authentication is configured and enabled. Standard email/password authentication is not affected.

📦 What is this software?

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

Mastodon by Joinmastodon

View all CVEs affecting Mastodon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete LDAP database compromise allowing extraction of all user attributes including passwords, personal information, and organizational data.

🟠

Likely Case

Extraction of user email addresses, names, roles, and other directory attributes leading to privacy violations and potential credential harvesting.

🟢

If Mitigated

Limited information disclosure if LDAP directory contains minimal sensitive attributes or proper access controls are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires knowledge of LDAP query syntax and access to login endpoint. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.8, 4.0.4, or 4.1.2

Vendor Advisory: https://github.com/mastodon/mastodon/releases/tag/v3.5.8

Restart Required: Yes

Instructions:

1. Backup your Mastodon instance. 2. Update to Mastodon version 3.5.8, 4.0.4, or 4.1.2 using your package manager or git. 3. Run bundle install. 4. Run rails db:migrate. 5. Restart Mastodon services.

🔧 Temporary Workarounds

Disable LDAP Authentication

all

Temporarily disable LDAP authentication until patching is complete

Edit config/initializers/devise.rb and set config.ldap_authentication = false
Restart Mastodon services

🧯 If You Can't Patch

  • Implement network-level restrictions to limit LDAP login endpoint access to trusted IPs only
  • Enable detailed LDAP query logging and monitor for unusual patterns or injection attempts

🔍 How to Verify

Check if Vulnerable:

Check Mastodon version and LDAP configuration. If version is between 2.5.0-3.5.7, 4.0.0-4.0.3, or 4.1.0-4.1.1 AND LDAP is enabled, system is vulnerable.

Check Version:

cd /path/to/mastodon && git describe --tags 2>/dev/null || cat .git/refs/heads/main

Verify Fix Applied:

Verify Mastodon version is 3.5.8, 4.0.4, or 4.1.2 or higher. Confirm LDAP queries are now properly sanitized in authentication logs.

📡 Detection & Monitoring

Log Indicators:

  • Unusual LDAP query patterns in authentication logs
  • LDAP queries containing special characters like *, (, ), &, |, =
  • Multiple failed login attempts with LDAP injection patterns

Network Indicators:

  • Unusual volume of traffic to LDAP authentication endpoint
  • Requests containing LDAP filter syntax in login parameters

SIEM Query:

source="mastodon.logs" AND "LDAP" AND ("*" OR "(" OR ")" OR "&" OR "|") AND NOT "normalized"

📊 Metadata

CVE ID: CVE-2023-28853
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-90
Published: April 4, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28853, you might also want to check these:

CVE-2024-54852 9.8

This LDAP injection vulnerability in Teedy allows unauthenticated attackers to manipulate LDAP queri...

Same vulnerability type (CWE-90)
CVE-2021-43350 9.8

CVE-2021-43350 is an LDAP injection vulnerability in Apache Traffic Control Traffic Ops that allows ...

Same vulnerability type (CWE-90)
CVE-2024-33868 9.8

This LDAP injection vulnerability in linqi on Windows allows attackers to manipulate LDAP queries, p...

Same vulnerability type (CWE-90)