CVE-2023-28853: 
NixOS vulnerability analysis and mitigation

Mastodon, a free open-source social network server, was affected by a vulnerability (CVE-2023-28853) discovered in its LDAP authentication feature. The issue was present in versions 2.5.0 and later, up to versions 3.5.8, 4.0.4, and 4.1.2. The vulnerability allowed attackers to perform LDAP injection attacks during the login process, potentially exposing sensitive information from the LDAP database (GitHub Advisory).

The vulnerability stemmed from insufficient input sanitization in the LDAP query during authentication. The login process used untrusted user input in the LDAP search filter without proper escaping. The default configuration used a filter pattern of (|(cn=%{email})(mail=%{email})), where the email parameter could be manipulated to inject additional LDAP queries. While this couldn't be exploited for authentication bypass, it enabled blind LDAP injection attacks that could extract information one bit at a time (OSS Security).

The vulnerability allowed attackers to exfiltrate arbitrary attributes from the LDAP database through blind injection techniques. While direct authentication bypass wasn't possible due to the two-step verification process, attackers could systematically leak sensitive information about other users in the database. The vulnerability received a CVSS v3.1 score of 7.7 (High), reflecting its potential for significant data exposure (GitHub Advisory).

The vulnerability was patched in Mastodon versions 3.5.8, 4.0.4, and 4.1.2. Users running affected versions should upgrade to these patched versions or later to protect against LDAP injection attacks. The fix involved properly escaping user input in LDAP queries (GitHub Release v3.5.8, v4.0.4, v4.1.2).