Race condition in Endorsements
Published: February 20, 2024
SECURITY IDENTIFIERS
- CVE: CVE-2023-47634 (NVD)
- GHSA: GHSA-r275-j57c-7mf2
- Vendor Advisory: https://github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2
GEM
SEVERITY
CVSS v3.x: 3.1 (Low)
UNAFFECTED VERSIONS
< 0.10.0
PATCHED VERSIONS
~> 0.26.9
>= 0.27.5
DESCRIPTION
Impact
A race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement.
To exploit this vulnerability, the request to set an endorsement must be sent several times in parallel.
Workarounds
Disable the Endorsement feature in the components.