Mastodon: Security vulnerability allows unauthorized access to posts
Operators of Mastodon instances should update their server software quickly. A high-risk gap allows unauthorized access to posts.
(Image: Marcelo Mollaretti/Shutterstock.com)
New versions of the Mastodon server software close a security gap classified as high-risk. Attackers can gain unauthorized access to posts.
By creating certain unspecified activities, attackers can extend the audience of a post that does not originate from them to other Mastodon users on a target server. This gives them access to the content of a post that is not intended for them (CVE-2024-37903, CVSS 8.2, risk"high"). According to the security announcement, the Mastodon developers will publish more details on Monday next week, July 15.
Many Mastodon versions affected
The bug occurs from Mastodon 2.6.0 onwards. The developers have released Mastodon versions 4.2.10 and 4.1.18. These are intended to seal the security gap. The changelog for Mastodon 4.2.10 also lists other security issues that the new version fixes. However, these have not received a CVE entry. The same corrections have also found their way into Mastodon 4.1.18.
One of the other corrected errors that are detrimental to security concerns the rights check of several API endpoints. It does take place, but insufficiently - as a result, application tokens could be used, for example, but the tokens did not have to belong to specific users.
Operators of Mastodon instances should download and install the available updates promptly in order to protect user content from unauthorized access.
Mastodon has already had to close security gaps on several occasions. In February, for example, it became known that attackers had been able to take over or falsify any accounts.
(dmk)