CVE-2023-39438
Last modified
CVE-2023-39438 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. A missing authorization check allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant by executing specific additional steps. This allows an arbitrary authenticated user to read CLA information including information of the persons who signed them as well as custom fields the CLA requester had configured. EPSS estimates a 0.39% chance of exploitation in the next 30 days.
Description
A missing authorization check allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant by executing specific additional steps. This allows an arbitrary authenticated user to read CLA information including information of the persons who signed them as well as custom fields the CLA requester had configured. In addition, an arbitrary authenticated user can update or delete the CLA-configuration for repositories or organizations using CLA-assistant. The stored access tokens for GitHub are not affected, as these are redacted from the API-responses.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sap | Contributor License Agreement Assistant | < 2.13.1 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-39438?
How severe is CVE-2023-39438?
How do I fix CVE-2023-39438?
Are you affected by CVE-2023-39438?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST