From 622f4a2ed52ce590fa43d5d632c901b4c5dc9f8a Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 13 Nov 2024 07:10:35 -0500 Subject: [PATCH] GHSA SYNC: 1 brand new advisory --- .../CVE-2024-43415.yml | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 gems/decidim-decidim_awesome/CVE-2024-43415.yml diff --git a/gems/decidim-decidim_awesome/CVE-2024-43415.yml b/gems/decidim-decidim_awesome/CVE-2024-43415.yml new file mode 100644 index 0000000000..05e8ff190f --- /dev/null +++ b/gems/decidim-decidim_awesome/CVE-2024-43415.yml @@ -0,0 +1,67 @@ +--- +gem: decidim-decidim_awesome +cve: 2024-43415 +ghsa: cxwf-qc32-375f +url: https://github.com/decidim-ice/decidim-module-decidim_awesome/security/advisories/GHSA-cxwf-qc32-375f +title: Decidim-Awesome has SQL injection in AdminAccountability +date: 2024-11-12 +description: | + ## Vulnerability type: CWE-89: Improper Neutralization of Special + + Elements used in an SQL Command ('SQL Injection') + + ## Vendor: + + Decidim International + Community Environment + + ### Has vendor confirmed: Yes + + ### Attack type: Remote + + ### Impact: + + Code Execution + Escalation of Privileges + Information Disclosure + + ### Affected component: + + A raw sql-statement that uses an interpolated variable + exists in the admin_role_actions method of the + `papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb`). + + ### Attack vector: + + An attacker with admin permissions could manipulate database queries + in order to read out the database, read files from the filesystem, + write files from the filesystem. In the worst case, this could lead + to remote code execution on the server. + + Description of the vulnerability for use in the CVE + [ℹ] (https://cveproject.github.io/docs/content/key-details-\nphrasing.pdf): + An improper neutralization of special elements used in an SQL + command in the `papertrail/version-\nmodel` of the + decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated + admin user to manipulate sql queries\nto disclose information, + read and write files or execute commands. + + ### Discoverer Credits: Wolfgang Hotwagner + + ### References: + + https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability + https://portswigger.net/web-security/sql-injection +cvss_v3: 9.0 +unaffected_versions: + - "< 0.11.0" +patched_versions: + - "~> 0.10.3" + - ">= 0.11.2" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2024-43415 + - https://github.com/decidim-ice/decidim-module-decidim_awesome/commit/84374037d34a3ac80dc18406834169c65869f11b + - https://github.com/decidim-ice/decidim-module-decidim_awesome/security/advisories/GHSA-cxwf-qc32-375f + - https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability + - https://github.com/advisories/GHSA-cxwf-qc32-375f