Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GHSA SYNC: 1 brand new advisory #835

Merged
merged 1 commit into from
Nov 13, 2024
Merged

GHSA SYNC: 1 brand new advisory #835

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions gems/decidim-decidim_awesome/CVE-2024-43415.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
---
gem: decidim-decidim_awesome
cve: 2024-43415
ghsa: cxwf-qc32-375f
url: https://github.com/decidim-ice/decidim-module-decidim_awesome/security/advisories/GHSA-cxwf-qc32-375f
title: Decidim-Awesome has SQL injection in AdminAccountability
date: 2024-11-12
description: |
## Vulnerability type: CWE-89: Improper Neutralization of Special

Elements used in an SQL Command ('SQL Injection')

## Vendor:

Decidim International
Community Environment

### Has vendor confirmed: Yes

### Attack type: Remote

### Impact:

Code Execution
Escalation of Privileges
Information Disclosure

### Affected component:

A raw sql-statement that uses an interpolated variable
exists in the admin_role_actions method of the
`papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb`).

### Attack vector:

An attacker with admin permissions could manipulate database queries
in order to read out the database, read files from the filesystem,
write files from the filesystem. In the worst case, this could lead
to remote code execution on the server.

Description of the vulnerability for use in the CVE
[ℹ] (https://cveproject.github.io/docs/content/key-details-\nphrasing.pdf):
An improper neutralization of special elements used in an SQL
command in the `papertrail/version-\nmodel` of the
decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated
admin user to manipulate sql queries\nto disclose information,
read and write files or execute commands.

### Discoverer Credits: Wolfgang Hotwagner

### References:

https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability
https://portswigger.net/web-security/sql-injection
cvss_v3: 9.0
unaffected_versions:
- "< 0.11.0"
patched_versions:
- "~> 0.10.3"
- ">= 0.11.2"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-43415
- https://github.com/decidim-ice/decidim-module-decidim_awesome/commit/84374037d34a3ac80dc18406834169c65869f11b
- https://github.com/decidim-ice/decidim-module-decidim_awesome/security/advisories/GHSA-cxwf-qc32-375f
- https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability
- https://github.com/advisories/GHSA-cxwf-qc32-375f
Loading