CVE-2023-48220

Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.5 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134	Product
https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34	Patch
https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454	Patch
https://github.com/decidim/decidim/releases/tag/v0.26.9	Release Notes
https://github.com/decidim/decidim/releases/tag/v0.27.5	Release Notes
https://github.com/decidim/decidim/releases/tag/v0.28.0	Release Notes
https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp	Mitigation Patch Vendor Advisory
https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198	Product
https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098	Patch
https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134	Product
https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34	Patch
https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454	Patch
https://github.com/decidim/decidim/releases/tag/v0.26.9	Release Notes
https://github.com/decidim/decidim/releases/tag/v0.27.5	Release Notes
https://github.com/decidim/decidim/releases/tag/v0.28.0	Release Notes
https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp	Mitigation Patch Vendor Advisory
https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198	Product
https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:decidim:decidim::::::ruby::*
	cpe:2.3:a:decidim:decidim::::::ruby::*
	cpe:2.3:a:decidim:decidim:0.0.1:-::::ruby::*
	cpe:2.3:a:decidim:decidim:0.0.1:alpha3::::ruby::*
	cpe:2.3:a:decidim:decidim:0.0.1:alpha4::::ruby::*
	cpe:2.3:a:decidim:decidim:0.0.1:alpha5::::ruby::*
	cpe:2.3:a:decidim:decidim:0.0.1:alpha6::::ruby::*
	cpe:2.3:a:decidim:decidim:0.0.1:alpha7::::ruby::*
	cpe:2.3:a:decidim:decidim:0.0.1:alpha8::::ruby::*
	cpe:2.3:a:decidim:decidim:0.0.1:alpha9::::ruby::*

Configuration 2 (hide)

OR	cpe:2.3:a:scambra:devise_invitable::::::ruby::*
	cpe:2.3:a:scambra:devise_invitable:0.4.0:-::::ruby::*
	cpe:2.3:a:scambra:devise_invitable:0.4.0:rc3::::ruby::*
	cpe:2.3:a:scambra:devise_invitable:0.4.0:rc4::::ruby::*
	cpe:2.3:a:scambra:devise_invitable:0.4.0:rc5::::ruby::*

History

16 Dec 2024, 21:46

Type	Values Removed	Values Added
First Time		Scambra devise Invitable Scambra Decidim Decidim decidim
References	~~() https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134 -~~	() https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134 - Product
References	~~() https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34 -~~	() https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34 - Patch
References	~~() https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454 -~~	() https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454 - Patch
References	~~() https://github.com/decidim/decidim/releases/tag/v0.26.9 -~~	() https://github.com/decidim/decidim/releases/tag/v0.26.9 - Release Notes
References	~~() https://github.com/decidim/decidim/releases/tag/v0.27.5 -~~	() https://github.com/decidim/decidim/releases/tag/v0.27.5 - Release Notes
References	~~() https://github.com/decidim/decidim/releases/tag/v0.28.0 -~~	() https://github.com/decidim/decidim/releases/tag/v0.28.0 - Release Notes
References	~~() https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp -~~	() https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp - Mitigation, Patch, Vendor Advisory
References	~~() https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198 -~~	() https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198 - Product
References	~~() https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098 -~~	() https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098 - Patch
CPE		cpe:2.3:a:scambra:devise_invitable:0.4.0:rc5::::ruby::* cpe:2.3:a:scambra:devise_invitable::::::ruby::* cpe:2.3:a:decidim:decidim:0.0.1:alpha4::::ruby::* cpe:2.3:a:decidim:decidim:0.0.1:alpha3::::ruby::* cpe:2.3:a:decidim:decidim:0.0.1:-::::ruby::* cpe:2.3:a:scambra:devise_invitable:0.4.0:rc3::::ruby::* cpe:2.3:a:decidim:decidim:0.0.1:alpha6::::ruby::* cpe:2.3:a:decidim:decidim::::::ruby::* cpe:2.3:a:scambra:devise_invitable:0.4.0:-::::ruby::* cpe:2.3:a:decidim:decidim:0.0.1:alpha5::::ruby::* cpe:2.3:a:scambra:devise_invitable:0.4.0:rc4::::ruby::* cpe:2.3:a:decidim:decidim:0.0.1:alpha8::::ruby::* cpe:2.3:a:decidim:decidim:0.0.1:alpha9::::ruby::* cpe:2.3:a:decidim:decidim:0.0.1:alpha7::::ruby::*

21 Nov 2024, 08:31

Type	Values Removed	Values Added
Summary		(es) Decidim es un framework de democracia participativa. A partir de la versión 0.4.rc3 y antes de la versión 2.0.9 de la gema `devise_invitable`, la función de invitaciones permite a los usuarios aceptar la invitación por un período de tiempo ilimitado a través de la función de restablecimiento de contraseña. Este problema crea dependencias vulnerables a partir de la versión 0.0.1.alpha3 y anteriores a las versiones 0.26.9, 0.27.5 y 0.28.0 de las gemas `decidim`, `decidim-admin` y `decidim-system`. Cuando se utiliza la función de restablecimiento de contraseña, la gema `devise_invitable` siempre acepta la invitación pendiente si el usuario ha sido invitado. La única verificación realizada es si el usuario ha sido invitado pero el código no garantiza que la invitación pendiente siga siendo válida según lo definido por el período de vencimiento de `invite_for`. Decidim establece esta configuración en `2.weeks` por lo que se debe respetar esta configuración. El error está en la gema `devise_invitable` y debería solucionarse allí y la dependencia debería actualizarse en Decidim una vez que la solución esté disponible. `devise_invitable` a la versión `2.0.9` y superiores solucionan este problema. Las versiones 0.26.9, 0.27.5 y 0.28.0 de las gemas `decidim`, `decidim-admin` y `decidim-system` contienen esta solución. Como workaround, las invitaciones se pueden cancelar directamente desde la base de datos.
References	~~() https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134 -~~	() https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134 -
References	~~() https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34 -~~	() https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34 -
References	~~() https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454 -~~	() https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454 -
References	~~() https://github.com/decidim/decidim/releases/tag/v0.26.9 -~~	() https://github.com/decidim/decidim/releases/tag/v0.26.9 -
References	~~() https://github.com/decidim/decidim/releases/tag/v0.27.5 -~~	() https://github.com/decidim/decidim/releases/tag/v0.27.5 -
References	~~() https://github.com/decidim/decidim/releases/tag/v0.28.0 -~~	() https://github.com/decidim/decidim/releases/tag/v0.28.0 -
References	~~() https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp -~~	() https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp -
References	~~() https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198 -~~	() https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198 -
References	~~() https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098 -~~	() https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098 -

20 Feb 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-20 18:15

Updated : 2024-12-16 21:46

NVD link : CVE-2023-48220

Mitre link : CVE-2023-48220

CVE.ORG link : CVE-2023-48220

JSON object : View

Products Affected

scambra

devise_invitable

decidim

decidim

CWE

CWE-672

Operation on a Resource after Expiration or Release

5.7 /10