SB2024021455 - Multiple vulnerabilities in Mastodon

Description

This security bulletin contains information about 2 vulnerabilities.

1) Insufficient Session Expiration (CVE-ID: CVE-2024-25619)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to insufficient session expiration in the streaming server when processing streaming connections associated with destroyed OAuth applications. A remote user can use access tokens that were not invalidated in streaming to disclose sensitive information.

Exploitation was only possible through a user-created application on the user's own account.

2) Improper Authentication (CVE-ID: CVE-2024-25618)

The vulnerability allows a remote user to take over another user's account.

The vulnerability exists due to improper authentication in external authentication account linking when matching first-time logins to existing local users by e-mail address. A remote user can change the e-mail address on an external identity provider account and log in through the provider to take over another user's account.

Exploitation requires the external authentication provider to allow e-mail address changes or multiple authentication providers to be configured.

Remediation

Install update from vendor's website.

References

• https://github.com/mastodon/mastodon/security/advisories/GHSA-7w3c-p9j8-mq3x
• https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3