Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jeHdmLXFjMzItMzc1Zs4ABBP0
Decidim-Awesome has SQL injection in AdminAccountability
Vulnerability type:
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Vendor:
Decidim International Community Environment
Has vendor confirmed:
Yes
Attack type:
Remote
Impact:
Code Execution
Escalation of Privileges
Information Disclosure
Affected component:
A raw sql-statement that uses an interpolated variable exists in the admin_role_actions method of the
papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb).
Attack vector:
An attacker with admin permissions could manipulate database queries in order to read out the database,
read files from the filesystem, write files from the filesystem. In the worst case, this could lead to remote code
execution on the server.
Description of the vulnerability for use in the CVE [ℹ] (https://cveproject.github.io/docs/content/key-details-
phrasing.pdf) : An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries
to disclose information, read and write files or execute commands.
Discoverer Credits:
Wolfgang Hotwagner
References:
https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability/
https://portswigger.net/web-security/sql-injection
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jeHdmLXFjMzItMzc1Zs4ABBP0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 days ago
Updated: 7 days ago
CVSS Score: 9.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Identifiers: GHSA-cxwf-qc32-375f, CVE-2024-43415
References:
- https://github.com/decidim-ice/decidim-module-decidim_awesome/security/advisories/GHSA-cxwf-qc32-375f
- https://nvd.nist.gov/vuln/detail/CVE-2024-43415
- https://github.com/decidim-ice/decidim-module-decidim_awesome/commit/84374037d34a3ac80dc18406834169c65869f11b
- https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-decidim_awesome/CVE-2024-43415.yml
- https://github.com/advisories/GHSA-cxwf-qc32-375f
Blast Radius: 17.8
Affected Packages
rubygems:decidim-decidim_awesome
Dependent packages: 0Dependent repositories: 94
Downloads: 50,918 total
Affected Version Ranges: >= 0.11.0, < 0.11.2, >= 0.9.1, < 0.10.3
Fixed in: 0.11.2, 0.10.3
All affected versions: 0.9.1, 0.9.3, 0.10.0, 0.10.1, 0.10.2, 0.11.1
All unaffected versions: 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.2, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.10.3, 0.11.2