logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-48220 decidim-admin

Package

Manager: gem
Name: decidim-admin
Vulnerable Version: >=0.0.1.alpha3 <0.26.9 || >=0.27.0 <0.27.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00584 pctl0.68081

Details

Possibility to circumvent the invitation token expiry period ### Impact The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited as shown in this piece of code within the `devise_invitable` gem: https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198 The only check done here is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period as explained in the gem's documentation: https://github.com/scambra/devise_invitable#model-configuration- > `invite_for`: The period the generated invitation token is valid. After this period, the invited resource won’t be able to accept the invitation. When `invite_for` is `0` (the default), the invitation won’t expire. Decidim sets this configuration to `2.weeks` so this configuration should be respected: https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134 The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. ### Patches Update `devise_invitable` to version `2.0.9` or above by running the following command: ``` $ bundle update devise_invitable ``` ### Workarounds The invitations can be cancelled directly from the database by running the following command from the Rails console: ``` > Decidim::User.invitation_not_accepted.update_all(invitation_token: nil) ``` ### References OWASP ASVS V4.0.3-2.3.1 This bug has existed in the `devise_invitable` gem since this commit which was first included in the `v0.4.rc3` release of this gem: https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098 All versions since then are affected. This gem was first introduced at its version `~> 1.7.0` to the `decidim-admin` gem in this commit which was first included in the `v0.0.1.alpha3` release of Decidim: https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34 It was first introduced at its version `~> 1.7.0` to the `decidim-system` gem in this commit which was also first included in the `v0.0.1.alpha3` release of Decidim: https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454 ### Credits This issue was discovered in City of Helsinki's security audit against Decidim 0.27 done during September 2023. The security audit was implemented by [Deloitte Finland](https://www2.deloitte.com/fi/fi.html).

Metadata

Created: 2024-02-20T19:26:51Z
Modified: 2024-02-20T19:26:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-w3q8-m492-4pwp/GHSA-w3q8-m492-4pwp.json
CWE IDs: ["CWE-672"]
Alternative ID: GHSA-w3q8-m492-4pwp
Finding: F067
Auto approve: 1