Low severityNVD Advisory· Published Feb 20, 2024· Updated Aug 2, 2024
Decidim has race condition in Endorsements
CVE-2023-47634
Description
Decidim is a participatory democracy framework. Starting in version 0.10.0 and prior to versions 0.26.9, 0.27.5, and 0.28.0, a race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement. To exploit this vulnerability, the request to set an endorsement must be sent several times in parallel. Versions 0.26.9, 0.27.5, and 0.28.0 contain a patch for this issue. As a workaround, disable the Endorsement feature in the components.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
decidimRubyGems | >= 0.10.0, < 0.26.9 | 0.26.9 |
decidimRubyGems | >= 0.27.0, < 0.27.5 | 0.27.5 |
Affected products
2Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-r275-j57c-7mf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-47634ghsaADVISORY
- github.com/decidim/decidim/commit/5c5ee7a50d75c10643dd8c495e2517641e4d74dbghsaWEB
- github.com/decidim/decidim/commit/7b840d2c37a562709f4481db644d8c43add28536ghsaWEB
- github.com/decidim/decidim/releases/tag/v0.26.9ghsax_refsource_MISCWEB
- github.com/decidim/decidim/releases/tag/v0.27.5ghsax_refsource_MISCWEB
- github.com/decidim/decidim/releases/tag/v0.28.0ghsax_refsource_MISCWEB
- github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-47634.ymlghsaWEB
News mentions
0No linked articles in our index yet.