CVE-2023-39438

Missing Authorization check allows certain operations on CLA Assistant data

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A missing authorization check allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant by executing specific additional steps. This allows an arbitrary authenticated user to read CLA information including information of the persons who signed them as well as custom fields the CLA requester had configured. In addition, an arbitrary authenticated user can update or delete the CLA-configuration for repositories or organizations using CLA-assistant. The stored access tokens for GitHub are not affected, as these are redacted from the API-responses.

Una comprobación de autorización omitida permite a un usuario autenticado arbitrario realizar ciertas operaciones a través de la API de CLA-assistant mediante la ejecución de pasos adicionales específicos. Esto permite a un usuario autenticado arbitrario leer información CLA incluyendo información de las personas que los firmaron así como campos personalizados que el solicitante CLA había configurado. Además, un usuario autenticado arbitrario puede actualizar o eliminar la configuración CLA para repositorios u organizaciones utilizando CLA-assistant. Los tokens de acceso almacenados para GitHub no se ven afectados, ya que se eliminan de las respuestas de la API.

*Credits: N/A

CVSS Scores

NISTv3.1 8.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-08-01 CVE Reserved
2023-08-15 CVE Published
2024-08-21 EPSS Updated
2024-10-08 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-424: Improper Protection of Alternate Path
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/cla-assistant/cla-assistant/security/advisories/GHSA-gw8p-frwv-25gh	2023-08-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sap Search vendor "Sap"		Contributor License Agreement Assistant Search vendor "Sap" for product "Contributor License Agreement Assistant"				< 2.13.1 Search vendor "Sap" for product "Contributor License Agreement Assistant" and version " < 2.13.1"		-		Affected