CVE-2023-39438

EPSS 0.17%
Published 15.08.2023 17:15:12
Last modified 21.11.2024 08:15:25
Source cna@sap.com
Teams watchlist Login
Open Login

A missing authorization check allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant by executing specific additional steps. This allows an arbitrary authenticated user to read CLA information including information of the persons who signed them as well as custom fields the CLA requester had configured. In addition, an arbitrary authenticated user can update or delete the CLA-configuration for repositories or organizations using CLA-assistant. The stored access tokens for GitHub are not affected, as these are redacted from the API-responses.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Contributor License Agreement Assistant Version < 2.13.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.17%	0.384

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
cna@sap.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/cla-assistant/cla-assistant/security/advisories/GHSA-gw8p-frwv-25gh

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-39438

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-39438

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-39438

EUVD