Additionally to the vulnerabilities discussed here , there are two other vulnerabilities fixed in Mastodon 2.5.2:
– nokogiri (1.8.5)
– XSS vulnerability
The remaining question: How many instances are vulnerable this time and remain vulnerable for weeks/months?
@infosechandbook probably 100s.
I can see 1200 up instances on MNM, and around 530 are on a version lower than 2.5.2
According to instances.social, more than 1200 instances run Mastodon < 2.5.2.
So more than 60 % of instances showing their version number are possibly vulnerable.
There may be 1000s more since the majority of instances hide their version number.
@infosechandbook Well, this makes a strong case for eventually having a web based updater like Nextcloud has. "Security through convenience"!
@infosechandbook Is there a bug report for both of these anywhere?
mastodon.at is a microblogging site that federates with most instances on the Fediverse.