The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account.
去中心化社交网络Mastodon披露了一个重大的安全漏洞,使恶意行为者能够冒充并接管任何帐户。
"Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account," the maintainers said in a terse advisory.
维护人员在简短的咨询中表示:“由于Mastodon中存在不足的源验证,攻击者可以冒充并接管任何远程帐户。”
The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of a maximum of 10. Security researcher arcanicanis has been credited with discovering and reporting it.
该漏洞被跟踪为CVE-2024-23832,严重级别为10分中的9.4分。安全研究人员arcanicanis发现并报告了该漏洞。
It has been described as an "origin validation error" (CWE-346), which can typically allow an attacker to "access any functionality that is inadvertently accessible to the source."
它被描述为“源验证错误”(CWE-346),通常允许攻击者“访问意外可访问源的任何功能”。
Every Mastodon version prior to 3.5.17 is vulnerable, as are 4.0.x versions before 4.0.13, 4.1.x versions before 4.1.13, and 4.2.x versions before 4.2.5.
除了3.5.17版本之前的所有Mastodon版本都存在漏洞,4.0.x版本在4.0.13之前,4.1.x版本在4.1.13之前,4.2.x版本在4.2.5之前也存在漏洞。
Mastodon said it's withholding additional technical specifics about the flaw until February 15, 2024, to give admins ample time to update the server instances and prevent the likelihood of exploitation.
Mastodon表示将在2024年2月15日之前不公开有关该漏洞的其他技术细节,以便给管理员充足的时间来更新服务器实例并防止被利用的可能性。
"Any amount of detail would make it very easy to come up with an exploit," it said.
它表示:“任何详细信息都会使攻击变得非常容易。”
The federated nature of the platform means that it runs on separate servers (aka instances), independently hosted and operated by respective administrators who create their own rules and regulations that are enforced locally.
该平台的联合性质意味着它运行在独立托管和操作的各个服务器(也称为实例)上,由各个管理员创建自己的规则和规定,并在本地执行。
This also means that not only each instance has a unique code of conduct, terms of service, privacy policy, and content moderation guidelines, but it also requires each administrator to apply security updates in a timely fashion to secure the instances against potential risks.
这意味着每个实例都有独特的行为准则、服务条款、隐私政策和内容管理准则,而且每个管理员都需要及时应用安全更新以保护实例免受潜在风险。
The disclosure arrives nearly seven months after Mastodon addressed two other critical flaws (CVE-2023-36460 and 2023-36459) that could have been weaponized by adversaries to cause denial-of-service (DoS) or achieve remote code execution.
这一披露发生在Mastodon解决了另外两个严重漏洞(CVE-2023-36460和2023-36459)近七个月之后,这些漏洞本可以被对手利用来造成拒绝服务(DoS)或实现远程代码执行。
原文始发于微信公众号(知机安全):Mastodon漏洞曝光:黑客可劫持分布式账户
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论