Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qbTc5LTlwbTQtdnJ3Oc4AA0m2
Decidim vulnerable to sensitive data disclosure
Note: added the actual report as a comment.
Summary
Decidim, a platform for digital citizen participation, uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table).
Impact
This issue may lead to Sensitive Data Disclosure.
Patches
The problem was patched in v0.27.3.
Workarounds
Disable or unpublish all meetings components from your application.
Permalink: https://github.com/advisories/GHSA-jm79-9pm4-vrw9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qbTc5LTlwbTQtdnJ3Oc4AA0m2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 6 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-jm79-9pm4-vrw9, CVE-2023-34090
References:
- https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9
- https://github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9#advisory-comment-81110
- https://nvd.nist.gov/vuln/detail/CVE-2023-34090
- https://github.com/decidim/decidim/releases/tag/v0.27.3
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-meetings/CVE-2023-34090.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-34090.yml
- https://github.com/advisories/GHSA-jm79-9pm4-vrw9
Blast Radius: 18.7
Affected Packages
rubygems:decidim-meetings
Dependent packages: 11Dependent repositories: 311
Downloads: 257,087 total
Affected Version Ranges: >= 0.27.0, < 0.27.3
Fixed in: 0.27.3
All affected versions: 0.27.0, 0.27.1, 0.27.2
All unaffected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.21.0, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.25.0, 0.25.1, 0.25.2, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.26.4, 0.26.5, 0.26.6, 0.26.7, 0.26.8, 0.26.9, 0.26.10, 0.27.3, 0.27.4, 0.27.5, 0.27.6, 0.28.0, 0.28.1
rubygems:decidim
Dependent packages: 6Dependent repositories: 312
Downloads: 305,136 total
Affected Version Ranges: >= 0.27.0, < 0.27.3
Fixed in: 0.27.3
All affected versions: 0.27.0, 0.27.1, 0.27.2
All unaffected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.21.0, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.23.5, 0.23.6, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.25.0, 0.25.1, 0.25.2, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.26.4, 0.26.5, 0.26.6, 0.26.7, 0.26.8, 0.26.9, 0.26.10, 0.27.3, 0.27.4, 0.27.5, 0.27.6, 0.28.0, 0.28.1