GHSA-cxwf-qc32-375f

Suggest an improvement
Source
https://github.com/advisories/GHSA-cxwf-qc32-375f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-cxwf-qc32-375f/GHSA-cxwf-qc32-375f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cxwf-qc32-375f
Aliases
Published
2024-11-12T19:52:22Z
Modified
2024-11-13T23:33:41.719686Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
  • 8.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P CVSS Calculator
Summary
Decidim-Awesome has SQL injection in AdminAccountability
Details

Vulnerability type:

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Vendor:

Decidim International Community Environment

Has vendor confirmed:

Yes

Attack type:

Remote

Impact:

Code Execution Escalation of Privileges Information Disclosure

Affected component:

A raw sql-statement that uses an interpolated variable exists in the adminroleactions method of the papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb).

Attack vector:

An attacker with admin permissions could manipulate database queries in order to read out the database, read files from the filesystem, write files from the filesystem. In the worst case, this could lead to remote code execution on the server. Description of the vulnerability for use in the CVE [ℹ] (https://cveproject.github.io/docs/content/key-details- phrasing.pdf) : An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries to disclose information, read and write files or execute commands.

Discoverer Credits:

Wolfgang Hotwagner

References:

https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability/ https://portswigger.net/web-security/sql-injection

Database specific
{
    "nvd_published_at": "2024-11-12T16:15:21Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-12T19:52:22Z"
}
References

Affected packages

RubyGems / decidim-decidim_awesome

Package

Name
decidim-decidim_awesome
Purl
pkg:gem/decidim-decidim_awesome

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.9.1
Fixed
0.10.3

Affected versions

0.*

0.9.1
0.9.3
0.10.0
0.10.1
0.10.2

RubyGems / decidim-decidim_awesome

Package

Name
decidim-decidim_awesome
Purl
pkg:gem/decidim-decidim_awesome

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.11.0
Fixed
0.11.2

Affected versions

0.*

0.11.1