CVE-2023-47634
LOW3.1EPSS 0.29%Race condition in Endorsements
Published: 2/20/2024Modified: 2/14/2025
Also known as:GHSA-r275-j57c-7mf2
Description
### Impact A race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement. To exploit this vulnerability, the request to set an endorsement must be sent several times in parallel. ### Workarounds Disable the Endorsement feature in the components.
Affected packages (1)
- RubyGems/decidim>= 0.10.0, < 0.26.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-47634
- PATCHhttps://github.com/decidim/decidim
- WEBhttps://github.com/decidim/decidim/commit/5c5ee7a50d75c10643dd8c495e2517641e4d74db
- WEBhttps://github.com/decidim/decidim/commit/7b840d2c37a562709f4481db644d8c43add28536
- WEBhttps://github.com/decidim/decidim/releases/tag/v0.26.9
- WEBhttps://github.com/decidim/decidim/releases/tag/v0.27.5
- WEBhttps://github.com/decidim/decidim/releases/tag/v0.28.0
- WEBhttps://github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-47634.yml