CVE-2023-47634: Race condition in Endorsements

February 20, 2024

Impact

A race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement.

To exploit this vulnerability, the request to set an endorsement must be sent several times in parallel.

Workarounds

Disable the Endorsement feature in the components.

References

github.com/advisories/GHSA-r275-j57c-7mf2
github.com/decidim/decidim/commit/5c5ee7a50d75c10643dd8c495e2517641e4d74db
github.com/decidim/decidim/commit/7b840d2c37a562709f4481db644d8c43add28536
github.com/decidim/decidim/security/advisories/GHSA-r275-j57c-7mf2

Detect and mitigate CVE-2023-47634 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →