Follow

Mastodon :mastodon: security:

Additionally to the vulnerabilities discussed here [1], there are two other vulnerabilities fixed in Mastodon 2.5.2:

– nokogiri (1.8.5)
– XSS vulnerability

The remaining question: How many instances are vulnerable this time and remain vulnerable for weeks/months?

[1] mastodon.at/@infosechandbook/1

@eliotberriot

According to instances.social, more than 1200 instances run Mastodon < 2.5.2.

So more than 60 % of instances showing their version number are possibly vulnerable.

There may be 1000s more since the majority of instances hide their version number.

Five big instances (there are many more) are very likely vulnerable to all of the four vulnerabilities:

ro-mastodon.puyo.jp
kirakiratter.com
mstdn.tokyocameraclub.com
mstdn-workers.com
qiitadon.com

In total, they have more than 20,000 users.

@infosechandbook Well, this makes a strong case for eventually having a web based updater like Nextcloud has. "Security through convenience"!

Sign in to participate in the conversation
Mastodon

mastodon.at is open to all users and federates with most instances.

🇩🇪 🇦🇹 🇨🇭 mastodon.at ist offen für alle User und ist mit vielen anderen Instanzen verbunden.