Lucene search

RubySecRUBY:DECIDIM-MEETINGS-2023-34090

HistoryJul 10, 2023 - 9:00 p.m.

Decidim vulnerable to sensitive data disclosure

2023-07-1021:00:00

RubySec

github.com

decidim

sensitive data disclosure

ransack

third-party library

database collections

public meetings

unauthenticated remote attacker

exfiltrate

user table

patches

v0.27.3

workarounds

meetings components

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

JSON

Note: added the actual report as a comment.

Summary

Decidim, a platform for digital citizen participation, uses a third-party library named Ransack for filtering certain database collections (e.g., public meetings). By default, this library allows filtering on all data attributes and associations. This allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance (e.g., exfiltrating data from the user table).

Impact

This issue may lead to Sensitive Data Disclosure.

Patches

The problem was patched in v0.27.3.

Workarounds

Disable or unpublish all meetings components from your application.

Affected configurations

Vulners

Node

rubydecidim-meetingsRange≤0.27.3

VendorProductVersionCPE
rubydecidim-meetings*cpe:2.3:a:ruby:decidim-meetings:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	decidim-meetings	*	cpe:2.3:a:ruby:decidim-meetings::::::::

References

github.com/decidim/decidim/security/advisories/GHSA-jm79-9pm4-vrw9

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

JSON

Related for RUBY:DECIDIM-MEETINGS-2023-34090