CVE-2024-25618

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 3.5.18 Mastodon versions prior to 4.0.14 Mastodon versions prior to 4.1.14 Mastodon versions prior to 4.2.6

Description The issue is related to the implementation of CAS, SAML, and OpenID Connect protocols in Mastodon, which allows new identities from configured authentication providers to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. Some well-known OIDC providers make it easy to accidentally allow unverified e-mail changes.

Recommendations For versions prior to 3.5.18, upgrade to version 3.5.18 or later. For versions prior to 4.0.14, upgrade to version 4.0.14 or later. For versions prior to 4.1.14, upgrade to version 4.1.14 or later. For versions prior to 4.2.6, upgrade to version 4.2.6 or later.