Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-48364: advisories/README.md at master · 40826d/advisories

The undo_mark_statuses_as_sensitive method in app/services/approve_appeal_service.rb in Mastodon 3.5.x before 3.5.3 does not use the server’s representative account, resulting in moderator identity disclosure when a moderator approves the appeal of a user whose status update was marked as sensitive.

CVE
Open in Source
#vulnerability#git

Moderator identity disclosure in Mastodon when approving appeal of sensitive marked statuses****Advisory Info

  • Vendor: Mastodon gGmbH
  • Product: Mastodon
  • Affected Versions: >= 3.5.0 < 3.5.3
  • Patched Versions: 3.5.3
  • Vendor Publication Date: 2022-05-26

Vulnerability Info

  • Class: CWE-203: Observable Discrepancy
  • CVE: CVE-2022-48364

Summary

Mastodon v3.5.0 introduced the ability for users to appeal moderation actions taken by moderators on their instance.

Each Mastodon instance has a special account that represents that instance (often referred to as representative account or instance actor) which is based on the instance’s domain name (LOCAL_DOMAIN).

The representative account is used by the appeals system to prevent the identity of the individual moderator from being publicly associated with the appealed posts they approve or deny (e.g. in those posts’ edit histories).

Between Mastodon versions 3.5.0 and 3.5.3, the undo_mark_statuses_as_sensitive method in approve_appeal_service.rb used the logged-in user context @current_account.id instead of the representative account context representative_account.id in the call to UpdateStatusService:

diff --git a/app/services/approve_appeal_service.rb b/app/services/approve_appeal_service.rb index 37a08b46e386…96aaaa7d078b 100644 — a/app/services/approve_appeal_service.rb +++ b/app/services/approve_appeal_service.rb @@ -52,8 +52,9 @@ def undo_delete_statuses! end

def undo_mark_statuses_as_sensitive!

  • representative_account = Account.representative @strike.statuses.includes(:media_attachments).each do |status| - UpdateStatusService.new.call(status, @current_account.id, sensitive: false) if status.with_media?
  •  UpdateStatusService.new.call(status, representative\_account.id, sensitive: false) if status.with\_media?
    end end

This resulted in moderator identity disclosure when a moderator or admin approved the appeal of a user whose media post was marked as sensitive. The user who performed the reversal would have been recorded in the edit history for the post which can be accessed by anyone who can see the post.

Steps to Reproduce

  1. As a user on a Mastodon instance (herein https://instance), make a status update with a photo or video attached.

  2. As a moderator or admin on the same instance, open the status update in the admin panel and select “Report” followed by "Mark as sensitive".

  3. As the poster, browse to https://instance/disputes/strikes, select the strike, and submit the appeal form.

  4. As the moderator, browse to https://instance/admin/disputes/appeals?status=pending, select the appeal, and approve it.

  5. As either user, browse to the status update and select the “Edited” dropdown. Observe that the acting moderator’s identity is shown in the edit history instead of the representative account’s identity.

Impact

Mastodon users whose media posts were marked as sensitive by moderators and later successfully appealed would have been able to identify the user who performed the reversal.

Timeline

  • 2022-04-20: Vulnerability discovery
  • 2022-04-20: Advisory and patch sent to vendor
  • 2022-04-21: Vendor acknowledgment
  • 2022-05-26: Vendor releases fix in v3.5.3 (PR, changelog)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE