Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://were.social/objects/875909d3-c8e5-41fe-b7a6-672e92f71ac1">arcanicanis (arcanicanis@were.social)'s status on Saturday, 17-Feb-2024 14:37:53 JST</a><a href="https://were.social/users/arcanicanis" title="arcanicanis@were.social"><img src="https://gnusocial.jp/avatar/10459-48-20220918060352.webp" width="48" height="48" alt="arcanicanis" style="position: absolute; left: 0; top: 0;">arcanicanis</a><div><a href="https://ijug.social/@TobiasFrech/111941252172598592" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><ul><li>v4.2.5 was released to fix CVE-2024-23832 (the one I reported)</li><li>v4.2.6 was released to fix CVE-2024-25618 (External OpenID Connect Account Takeover by E-Mail Change, credit to <a href="https://toot.teckids.org/@nik">@nik</a> and <a href="https://toot.teckids.org/@pinguin">@pinguin</a> )</li><li>v4.2.7 was released to fix a not-yet-public Github security report: <a href="https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36">https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36</a></li></ul><p>The update of v4.2.5 addressed the specific payloads I had put together, as it was confirmed fixed in my test lab. But I wouldn’t be surprised if there was more, such as if it was something to do with attributedTo or other properties that I could have overlooked.</p><p>I was already blown away by the point that I could do the first attack (of impersonated posts) so trivially, and then tumbling down the rabbit hole of noticing I could alter profiles too, and then even hijacking traffic outbound, and rejecting genuine traffic on the inbound—that there was probably even more yet to be discovered still, that someone else caught instead.</p><p>I can probably poke around with v4.2.5 more in a moment, to see if there was other trivial vulnerabilities overlooked.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2720016#notice-5409900">In conversation</a><time datetime="2024-02-17T14:37:53+09:00" title="Saturday, 17-Feb-2024 14:37:53 JST">about a year ago</time> <span>from <span><a href="https://were.social/objects/875909d3-c8e5-41fe-b7a6-672e92f71ac1" rel="external" title="Sent from were.social via ActivityPub">were.social</a></span></span><a href="https://were.social/objects/875909d3-c8e5-41fe-b7a6-672e92f71ac1">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/2269485">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
arcanicanis (arcanicanis@were.social)'s status on Saturday, 17-Feb-2024 14:37:53 JSTarcanicanis
in reply to
- Tobias Frech
- v4.2.5 was released to fix CVE-2024-23832 (the one I reported)
- v4.2.6 was released to fix CVE-2024-25618 (External OpenID Connect Account Takeover by E-Mail Change, credit to @nik and @pinguin )
- v4.2.7 was released to fix a not-yet-public Github security report: https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36
The update of v4.2.5 addressed the specific payloads I had put together, as it was confirmed fixed in my test lab. But I wouldn’t be surprised if there was more, such as if it was something to do with attributedTo or other properties that I could have overlooked.
I was already blown away by the point that I could do the first attack (of impersonated posts) so trivially, and then tumbling down the rabbit hole of noticing I could alter profiles too, and then even hijacking traffic outbound, and rejecting genuine traffic on the inbound—that there was probably even more yet to be discovered still, that someone else caught instead.
I can probably poke around with v4.2.5 more in a moment, to see if there was other trivial vulnerabilities overlooked.
In conversationabout a year ago from were.socialpermalink
Attachments
1. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice