GHSA-CXWF-QC32-375F
Vulnerability from github – Published: 2024-11-12 19:52 – Updated: 2024-11-13 23:24Vulnerability type:
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Vendor:
Decidim International Community Environment
Has vendor confirmed:
Yes
Attack type:
Remote
Impact:
Code Execution Escalation of Privileges Information Disclosure
Affected component:
A raw sql-statement that uses an interpolated variable exists in the admin_role_actions method of the
papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb).
Attack vector:
An attacker with admin permissions could manipulate database queries in order to read out the database,
read files from the filesystem, write files from the filesystem. In the worst case, this could lead to remote code
execution on the server.
Description of the vulnerability for use in the CVE [ℹ] (https://cveproject.github.io/docs/content/key-details-
phrasing.pdf) : An improper neutralization of special elements used in an SQL command in the papertrail/version-
model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries
to disclose information, read and write files or execute commands.
Discoverer Credits:
Wolfgang Hotwagner
References:
https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability/ https://portswigger.net/web-security/sql-injection
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "decidim-decidim_awesome"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.1"
},
{
"fixed": "0.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "decidim-decidim_awesome"
},
"ranges": [
{
"events": [
{
"introduced": "0.11.0"
},
{
"fixed": "0.11.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43415"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-12T19:52:22Z",
"nvd_published_at": "2024-11-12T16:15:21Z",
"severity": "HIGH"
},
"details": "## Vulnerability type: \nCWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\n## Vendor: \nDecidim International Community Environment\n\n### Has vendor con\ufb01rmed: \nYes\n\n### Attack type:\nRemote\n\n### Impact:\nCode Execution\nEscalation of Privileges\nInformation Disclosure\n\n### A\ufb00ected component:\nA raw sql-statement that uses an interpolated variable exists in the admin_role_actions method of the\n`papertrail/version-model(app/models/decidim/decidim_awesome/paper_trail_version.rb`).\n\n### Attack vector:\n\nAn attacker with admin permissions could manipulate database queries in order to read out the database,\nread \ufb01les from the \ufb01lesystem, write \ufb01les from the \ufb01lesystem. In the worst case, this could lead to remote code\nexecution on the server.\nDescription of the vulnerability for use in the CVE [\u2139] (https://cveproject.github.io/docs/content/key-details-\nphrasing.pdf) : An improper neutralization of special elements used in an SQL command in the `papertrail/version-\nmodel` of the decidim_awesome-module \u003c= v0.11.1 (\u003e 0.9.0) allows an authenticated admin user to manipulate sql queries\nto disclose information, read and write files or execute commands.\n\n### Discoverer Credits:\nWolfgang Hotwagner\n\n### References:\nhttps://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability/\nhttps://portswigger.net/web-security/sql-injection",
"id": "GHSA-cxwf-qc32-375f",
"modified": "2024-11-13T23:24:27Z",
"published": "2024-11-12T19:52:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/decidim-ice/decidim-module-decidim_awesome/security/advisories/GHSA-cxwf-qc32-375f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43415"
},
{
"type": "WEB",
"url": "https://github.com/decidim-ice/decidim-module-decidim_awesome/commit/84374037d34a3ac80dc18406834169c65869f11b"
},
{
"type": "PACKAGE",
"url": "https://github.com/decidim-ice/decidim-module-decidim_awesome"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-decidim_awesome/CVE-2024-43415.yml"
},
{
"type": "WEB",
"url": "https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:P",
"type": "CVSS_V4"
}
],
"summary": "Decidim-Awesome has SQL injection in AdminAccountability"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.