GHSA-r275-j57c-7mf2

Source

https://github.com/advisories/GHSA-r275-j57c-7mf2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-r275-j57c-7mf2/GHSA-r275-j57c-7mf2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r275-j57c-7mf2

Aliases

CVE-2023-47634

Published

2024-02-20T18:02:52Z

Modified

2024-06-25T02:33:22.345509Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Race condition in Endorsements

Details

Impact

A race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement.

To exploit this vulnerability, the request to set an endorsement must be sent several times in parallel.

Workarounds

Disable the Endorsement feature in the components.

Database specific

{
    "nvd_published_at": "2024-02-29T01:41:28Z",
    "cwe_ids": [
        "CWE-362"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-20T18:02:52Z"
}

References

Affected packages

RubyGems / decidim

Package

Name: decidim
Purl: pkg:gem/decidim

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.10.0

Fixed

0.26.9

Affected versions

0.*

0.10.0

0.10.1

0.11.0.pre1

0.11.1

0.11.2

0.12.0.pre

0.12.0

0.12.1

0.12.2

0.13.0.pre1

0.13.0

0.13.1

0.14.1

0.14.2

0.14.3

0.14.4

0.15.0

0.15.1

0.15.2

0.16.0

0.16.1

0.17.0

0.17.1

0.17.2

0.18.0

0.18.1

0.19.0

0.19.1

0.20.0

0.20.1

0.21.0

0.22.0

0.23.0

0.23.1.rc1

0.23.1

0.23.2

0.23.3

0.23.4

0.23.5

0.23.6

0.24.0.rc1

0.24.0.rc2

0.24.0

0.24.1

0.24.2

0.24.3

0.25.0.rc1

0.25.0.rc2

0.25.0.rc3

0.25.0.rc4

0.25.0

0.25.1

0.25.2

0.26.0.rc2

0.26.0

0.26.1

0.26.2

0.26.3

0.26.4

0.26.5

0.26.7

0.26.8

RubyGems / decidim

Package

Name: decidim
Purl: pkg:gem/decidim

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.27.0

Fixed

0.27.5

Affected versions

0.*

0.27.0

0.27.1

0.27.2

0.27.3

0.27.4