SB20240704106 - Multiple vulnerabilities in Mastodon
Published: July 4, 2024 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in multiple API endpoints when handling requests with application tokens. A remote attacker can send requests using application tokens to disclose sensitive information.
On affected configurations, unregistered users can access hashtag timelines that should not be publicly accessible, and applications can access the public timeline regardless of their permissions.
2) Improper access control (CVE-ID: CVE-2024-37903)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in audience extension handling for existing posts when processing crafted activities. A remote attacker can send specific crafted activities to disclose sensitive information.
Exploitation requires knowledge of the protocol identifier for the target message and control of an account on a Mastodon server that already has legitimate access to that message.
3) Insufficient Session Expiration (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to insufficient session expiration in the streaming API when maintaining WebSocket streaming connections after an access token is revoked. A remote user can keep an existing streaming connection open and continue subscribing to streamable timelines to disclose sensitive information.
User interaction is required because the user must first authorize the application before revoking its access token.
Remediation
Install update from vendor's website.