CVE-2022-48364

Name of the Vulnerable Software and Affected Versions Mastodon versions 3.5.x through 3.5.2

Description The issue is related to the undo mark statuses as sensitive method in app/services/approve appeal service.rb, which does not use the server's representative account. This results in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive. The vulnerability is associated with insufficient protection of service data, allowing a remote attacker to gain unauthorized access to protected information.

Recommendations For Mastodon versions 3.5.x through 3.5.2, update to version 3.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the approve appeal service until a patch is available. Avoid using the undo mark statuses as sensitive method in the affected service until the issue is resolved.