CWE-672
Allowed-with-ReviewOperation on a Resource after Expiration or Release
Abstraction: Class · Status: Draft
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
118 vulnerabilities reference this CWE, most recent first.
GHSA-QXRR-WRHX-J83R
Vulnerability from github – Published: 2022-12-10 00:30 – Updated: 2022-12-13 03:30User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted.
{
"affected": [],
"aliases": [
"CVE-2022-45292"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-09T22:15:00Z",
"severity": "MODERATE"
},
"details": "User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted.",
"id": "GHSA-qxrr-wrhx-j83r",
"modified": "2022-12-13T03:30:45Z",
"published": "2022-12-10T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45292"
},
{
"type": "WEB",
"url": "https://dev.funkwhale.audio/funkwhale/funkwhale/-/issues/1952"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6CX-VW2Q-5GQG
Vulnerability from github – Published: 2026-01-02 18:30 – Updated: 2026-01-02 18:30In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.
{
"affected": [],
"aliases": [
"CVE-2025-69415"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-02T17:16:23Z",
"severity": "HIGH"
},
"details": "In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.",
"id": "GHSA-r6cx-vw2q-5gqg",
"modified": "2026-01-02T18:30:55Z",
"published": "2026-01-02T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69415"
},
{
"type": "WEB",
"url": "https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R88F-774M-5RJ4
Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00A flaw was found in OpenStack. The application credential tokens can be used even after they have expired. This flaw allows an authenticated remote attacker to obtain access despite the defender's efforts to remove access.
{
"affected": [],
"aliases": [
"CVE-2022-2447"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-01T21:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in OpenStack. The application credential tokens can be used even after they have expired. This flaw allows an authenticated remote attacker to obtain access despite the defender\u0027s efforts to remove access.",
"id": "GHSA-r88f-774m-5rj4",
"modified": "2022-09-08T00:00:30Z",
"published": "2022-09-02T00:01:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2447"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-2447"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105419"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R8W9-5WCG-VFJ7
Vulnerability from github – Published: 2024-03-04 20:44 – Updated: 2024-03-06 21:37Impact
When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free.
For users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio.
The vulnerability is Windows-specific, and can only happen if you are using named pipes. Other IO resources are not affected.
Affected versions
This vulnerability has been fixed in mio v0.8.11.
All versions of mio between v0.7.2 and v0.8.10 are vulnerable.
Tokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable.
Workarounds
Vulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.
Technical details
When an IO resource registered with mio has a readiness event, mio delivers that readiness event to the user using a user-specified token. Mio guarantees that when an IO resource is deregistered, then it will never return the token for that IO resource again. However, for named pipes on windows, mio may sometimes deliver the token for a named pipe even though the named pipe has been previously deregistered.
This vulnerability was originally reported in the Tokio issue tracker: tokio-rs/tokio#6369 This vulnerability was fixed in: tokio-rs/mio#1760 This vulnerability is also known as RUSTSEC-2024-0019.
Thank you to @rofoun and @radekvit for discovering and reporting this issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.10"
},
"package": {
"ecosystem": "crates.io",
"name": "mio"
},
"ranges": [
{
"events": [
{
"introduced": "0.7.2"
},
{
"fixed": "0.8.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27308"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-04T20:44:35Z",
"nvd_published_at": "2024-03-06T20:15:47Z",
"severity": "HIGH"
},
"details": "### Impact\n\nWhen using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free.\n\nFor users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio.\n\nThe vulnerability is Windows-specific, and can only happen if you are using named pipes. Other IO resources are not affected.\n\n### Affected versions\nThis vulnerability has been fixed in mio v0.8.11.\n\nAll versions of mio between v0.7.2 and v0.8.10 are vulnerable.\n\nTokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable.\n\n### Workarounds\nVulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.\n\n### Technical details\n\nWhen an IO resource registered with mio has a readiness event, mio delivers that readiness event to the user using a user-specified token. Mio guarantees that when an IO resource is [deregistered](https://docs.rs/mio/latest/mio/struct.Registry.html#method.deregister), then it will never return the token for that IO resource again. However, for named pipes on windows, mio may sometimes deliver the token for a named pipe even though the named pipe has been previously deregistered.\n\nThis vulnerability was originally reported in the Tokio issue tracker: [tokio-rs/tokio#6369](https://github.com/tokio-rs/tokio/issues/6369)\nThis vulnerability was fixed in: [tokio-rs/mio#1760](https://github.com/tokio-rs/mio/pull/1760)\nThis vulnerability is also known as [RUSTSEC-2024-0019](https://rustsec.org/advisories/RUSTSEC-2024-0019.html).\n\nThank you to @rofoun and @radekvit for discovering and reporting this issue.",
"id": "GHSA-r8w9-5wcg-vfj7",
"modified": "2024-03-06T21:37:37Z",
"published": "2024-03-04T20:44:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tokio-rs/mio/security/advisories/GHSA-r8w9-5wcg-vfj7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27308"
},
{
"type": "WEB",
"url": "https://github.com/tokio-rs/tokio/issues/6369"
},
{
"type": "WEB",
"url": "https://github.com/tokio-rs/mio/pull/1760"
},
{
"type": "WEB",
"url": "https://github.com/tokio-rs/mio/commit/90d4fe00df870acd3d38f3dc4face9aacab8fbb9"
},
{
"type": "PACKAGE",
"url": "https://github.com/tokio-rs/mio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mio\u0027s tokens for named pipes may be delivered after deregistration"
}
GHSA-RH37-88V6-QM47
Vulnerability from github – Published: 2022-04-19 00:00 – Updated: 2025-11-04 00:30A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.
{
"affected": [],
"aliases": [
"CVE-2021-42778"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-18T17:15:00Z",
"severity": "MODERATE"
},
"details": "A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.",
"id": "GHSA-rh37-88v6-qm47",
"modified": "2025-11-04T00:30:31Z",
"published": "2022-04-19T00:00:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42778"
},
{
"type": "WEB",
"url": "https://github.com/OpenSC/OpenSC/commit/f015746d"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28185"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2016083"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00026.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202209-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-V8J2-5F9P-FMH4
Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-18 15:31Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-q8ff-7ffm-m3r9. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T15:31:00Z",
"nvd_published_at": "2026-05-11T18:16:40Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-q8ff-7ffm-m3r9. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.",
"id": "GHSA-v8j2-5f9p-fmh4",
"modified": "2026-05-18T15:31:00Z",
"published": "2026-05-11T18:31:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45005"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw\u0027s Webhooks SecretRef route secret remains valid after rotation/reload",
"withdrawn": "2026-05-18T15:31:00Z"
}
GHSA-VC86-73MC-M266
Vulnerability from github – Published: 2022-11-11 19:00 – Updated: 2022-11-17 15:30Premature release of resource during expected lifetime in the Intel(R) SGX SDK software may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2022-27499"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-11T16:15:00Z",
"severity": "MODERATE"
},
"details": "Premature release of resource during expected lifetime in the Intel(R) SGX SDK software may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-vc86-73mc-m266",
"modified": "2022-11-17T15:30:24Z",
"published": "2022-11-11T19:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27499"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00691.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VMC8-GGH9-8P8J
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2022-11-10 12:01TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
{
"affected": [],
"aliases": [
"CVE-2019-15691"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-26T15:15:00Z",
"severity": "HIGH"
},
"details": "TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.",
"id": "GHSA-vmc8-ggh9-8p8j",
"modified": "2022-11-10T12:01:17Z",
"published": "2022-05-24T17:05:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15691"
},
{
"type": "WEB",
"url": "https://github.com/CendioOssman/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233119aad40"
},
{
"type": "WEB",
"url": "https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2019/12/20/2"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00039.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQ23-5H4F-VWPV
Vulnerability from github – Published: 2021-08-25 21:01 – Updated: 2022-06-15 19:41An issue was discovered in the abi_stable crate before 0.9.1 for Rust. DrainFilter lacks soundness because of a double drop.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "abi_stable"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36212"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-26T17:17:19Z",
"nvd_published_at": "2021-01-26T18:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the abi_stable crate before 0.9.1 for Rust. DrainFilter lacks soundness because of a double drop.",
"id": "GHSA-vq23-5h4f-vwpv",
"modified": "2022-06-15T19:41:47Z",
"published": "2021-08-25T21:01:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36212"
},
{
"type": "WEB",
"url": "https://github.com/rodrimati1992/abi_stable_crates/issues/44"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0105.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Update unsound DrainFilter and RString::retain"
}
GHSA-W3Q8-M492-4PWP
Vulnerability from github – Published: 2024-02-20 19:26 – Updated: 2024-02-20 19:26Impact
The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality.
When using the password reset functionality, the devise_invitable gem always accepts the pending invitation if the user has been invited as shown in this piece of code within the devise_invitable gem:
https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198
The only check done here is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the invite_for expiry period as explained in the gem's documentation:
https://github.com/scambra/devise_invitable#model-configuration-
invite_for: The period the generated invitation token is valid. After this period, the invited resource won’t be able to accept the invitation. Wheninvite_foris0(the default), the invitation won’t expire.
Decidim sets this configuration to 2.weeks so this configuration should be respected:
https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134
The bug is in the devise_invitable gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available.
Patches
Update devise_invitable to version 2.0.9 or above by running the following command:
$ bundle update devise_invitable
Workarounds
The invitations can be cancelled directly from the database by running the following command from the Rails console:
> Decidim::User.invitation_not_accepted.update_all(invitation_token: nil)
References
OWASP ASVS V4.0.3-2.3.1
This bug has existed in the devise_invitable gem since this commit which was first included in the v0.4.rc3 release of this gem:
https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098
All versions since then are affected.
This gem was first introduced at its version ~> 1.7.0 to the decidim-admin gem in this commit which was first included in the v0.0.1.alpha3 release of Decidim:
https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34
It was first introduced at its version ~> 1.7.0 to the decidim-system gem in this commit which was also first included in the v0.0.1.alpha3 release of Decidim:
https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454
Credits
This issue was discovered in City of Helsinki's security audit against Decidim 0.27 done during September 2023. The security audit was implemented by Deloitte Finland.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "decidim"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.1.alpha3"
},
{
"fixed": "0.26.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "decidim-admin"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.1.alpha3"
},
{
"fixed": "0.26.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "decidim-system"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.1.alpha3"
},
{
"fixed": "0.26.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "devise_invitable"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.rc3"
},
{
"fixed": "2.0.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "decidim"
},
"ranges": [
{
"events": [
{
"introduced": "0.27.0"
},
{
"fixed": "0.27.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "decidim-admin"
},
"ranges": [
{
"events": [
{
"introduced": "0.27.0"
},
{
"fixed": "0.27.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "decidim-system"
},
"ranges": [
{
"events": [
{
"introduced": "0.27.0"
},
{
"fixed": "0.27.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-48220"
],
"database_specific": {
"cwe_ids": [
"CWE-672"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-20T19:26:51Z",
"nvd_published_at": "2024-02-20T18:15:50Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality.\n\nWhen using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited as shown in this piece of code within the `devise_invitable` gem:\nhttps://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198\n\nThe only check done here is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period as explained in the gem\u0027s documentation:\nhttps://github.com/scambra/devise_invitable#model-configuration-\n\n\u003e `invite_for`: The period the generated invitation token is valid. After this period, the invited resource won\u2019t be able to accept the invitation. When `invite_for` is `0` (the default), the invitation won\u2019t expire.\n\nDecidim sets this configuration to `2.weeks` so this configuration should be respected:\nhttps://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134\n\nThe bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available.\n\n### Patches\nUpdate `devise_invitable` to version `2.0.9` or above by running the following command:\n\n```\n$ bundle update devise_invitable\n```\n\n### Workarounds\nThe invitations can be cancelled directly from the database by running the following command from the Rails console:\n\n```\n\u003e Decidim::User.invitation_not_accepted.update_all(invitation_token: nil)\n```\n\n### References\nOWASP ASVS V4.0.3-2.3.1\n\nThis bug has existed in the `devise_invitable` gem since this commit which was first included in the `v0.4.rc3` release of this gem:\nhttps://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098\n\nAll versions since then are affected.\n\nThis gem was first introduced at its version `~\u003e 1.7.0` to the `decidim-admin` gem in this commit which was first included in the `v0.0.1.alpha3` release of Decidim:\nhttps://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34\n\nIt was first introduced at its version `~\u003e 1.7.0` to the `decidim-system` gem in this commit which was also first included in the `v0.0.1.alpha3` release of Decidim:\nhttps://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454\n\n### Credits\nThis issue was discovered in City of Helsinki\u0027s security audit against Decidim 0.27 done during September 2023. The security audit was implemented by [Deloitte Finland](https://www2.deloitte.com/fi/fi.html).",
"id": "GHSA-w3q8-m492-4pwp",
"modified": "2024-02-20T19:26:51Z",
"published": "2024-02-20T19:26:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/decidim/decidim/security/advisories/GHSA-w3q8-m492-4pwp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48220"
},
{
"type": "WEB",
"url": "https://github.com/decidim/decidim/commit/073e60e2e4224dd81815a784002ebba30f2ebb34"
},
{
"type": "WEB",
"url": "https://github.com/decidim/decidim/commit/b12800717a689c295a9ea680a38ca9f823d2c454"
},
{
"type": "WEB",
"url": "https://github.com/scambra/devise_invitable/commit/94d859c7de0829bf63f679ae5dd3cab2b866a098"
},
{
"type": "PACKAGE",
"url": "https://github.com/decidim/decidim"
},
{
"type": "WEB",
"url": "https://github.com/decidim/decidim/blob/d2d390578050772d1bdb6d731395f1afc39dcbfc/decidim-core/config/initializers/devise.rb#L134"
},
{
"type": "WEB",
"url": "https://github.com/decidim/decidim/releases/tag/v0.26.9"
},
{
"type": "WEB",
"url": "https://github.com/decidim/decidim/releases/tag/v0.27.5"
},
{
"type": "WEB",
"url": "https://github.com/decidim/decidim/releases/tag/v0.28.0"
},
{
"type": "WEB",
"url": "https://github.com/scambra/devise_invitable/blob/41f58970ff76fb64382a9b9ea1bd530f7c3adab2/lib/devise_invitable/models.rb#L198"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Possibility to circumvent the invitation token expiry period"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.