CVE-2022-24307 in Mastodon
Summary
by MITRE • 02/03/2022
Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access control because it does not compact incoming signed JSON-LD activities. (JSON-LD signing has been supported since version 1.6.0.)
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/05/2022
The vulnerability identified as CVE-2022-24307 affects the Mastodon social networking platform, specifically versions prior to 3.3.2 and 3.4.x versions before 3.4.6. This issue represents a critical access control flaw that undermines the security of signed JSON-LD activities within the platform's federation protocol. The vulnerability stems from the platform's failure to properly compact incoming signed JSON-LD activities, which creates a pathway for unauthorized modifications to be accepted as legitimate operations within the distributed social network.
The technical root cause of this vulnerability lies in the improper handling of JSON-LD signed activities that are part of the ActivityPub protocol implementation. JSON-LD signing has been supported in Mastodon since version 1.6.0, providing a mechanism for verifying the authenticity and integrity of federated activities. However, the system fails to properly compact incoming JSON-LD documents before processing them, allowing malicious actors to craft activities with modified properties that bypass the signature validation process. This flaw enables attackers to exploit the trust model of the federation protocol by submitting activities that appear legitimate due to valid signatures but contain unauthorized modifications to their content or metadata.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it allows attackers to manipulate the social graph and potentially inject malicious content into federated networks. An attacker could modify the properties of signed activities to change the behavior of legitimate operations, such as altering the visibility settings of posts, modifying user relationships, or injecting harmful content that would be accepted by other Mastodon instances due to the valid signatures. This creates a significant risk for the integrity of the distributed social network, as compromised instances could propagate malicious activities throughout the federation, affecting multiple interconnected platforms.
This vulnerability aligns with CWE-284, which addresses improper access control, and demonstrates how inadequate input validation can lead to privilege escalation within federated systems. The attack pattern follows the MITRE ATT&CK framework's technique T1078 for valid accounts and T1566 for credential access, as attackers can exploit the trust relationships within the federation to perform unauthorized operations. The security implications are particularly severe because the vulnerability affects the core federation protocol that enables communication between different Mastodon instances, potentially allowing attackers to compromise entire federated networks through a single vulnerable instance. Organizations should implement immediate patching to version 3.3.2 or 3.4.6, while also monitoring for suspicious activities that might indicate exploitation attempts.
The fix for this vulnerability requires proper JSON-LD document compaction before signature verification, ensuring that all incoming signed activities are normalized to their canonical form before validation. This approach aligns with the principle of least privilege and proper input sanitization, preventing attackers from manipulating the structure of signed documents to bypass security controls. System administrators should also consider implementing additional monitoring for unusual federation activity patterns and ensure that all instances within their network are updated to prevent potential exploitation through compromised nodes.