Follow

Mastodon :mastodon: security:

Additionally to the vulnerabilities discussed here [1], there are two other vulnerabilities fixed in Mastodon 2.5.2:

– nokogiri (1.8.5)
– XSS vulnerability

The remaining question: How many instances are vulnerable this time and remain vulnerable for weeks/months?

[1] mastodon.at/@infosechandbook/1

Five big instances (there are many more) are very likely vulnerable to all of the four vulnerabilities:

ro-mastodon.puyo.jp
kirakiratter.com
mstdn.tokyocameraclub.com
mstdn-workers.com
qiitadon.com

In total, they have more than 20,000 users.

@eliotberriot

According to instances.social, more than 1200 instances run Mastodon < 2.5.2.

So more than 60 % of instances showing their version number are possibly vulnerable.

There may be 1000s more since the majority of instances hide their version number.

@infosechandbook Well, this makes a strong case for eventually having a web based updater like Nextcloud has. "Security through convenience"!

Sign in to participate in the conversation
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.