GHSA-jm79-9pm4-vrw9

Source

https://github.com/advisories/GHSA-jm79-9pm4-vrw9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-jm79-9pm4-vrw9/GHSA-jm79-9pm4-vrw9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jm79-9pm4-vrw9

Aliases

CVE-2023-34090

Published

2023-07-11T22:46:51Z

Modified

2024-02-16T08:21:52.278682Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Decidim vulnerable to sensitive data disclosure

Details

Note: added the actual report as a comment.

Summary

Decidim, a platform for digital citizen participation, uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table).

Impact

This issue may lead to Sensitive Data Disclosure.

Patches

The problem was patched in v0.27.3.

Workarounds

Disable or unpublish all meetings components from your application.

Database specific

{
    "nvd_published_at": "2023-07-11T18:15:16Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-11T22:46:51Z"
}

References

Affected packages

RubyGems / decidim

Package

Name: decidim
Purl: pkg:gem/decidim

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.27.0

Fixed

0.27.3

Affected versions

0.*

0.27.0

0.27.1

0.27.2

RubyGems / decidim-meetings