What is the vulnerability ID for this issue?

The vulnerability ID is CVE-2023-39438.

What is the severity of CVE-2023-39438?

The severity of CVE-2023-39438 is high with a CVSS score of 8.1.

Which software is affected by CVE-2023-39438?

The CLA-assistant software with versions up to exclusive 2.13.1 is affected by CVE-2023-39438.

Is there a fix available for CVE-2023-39438?

Yes, a fix is available for CVE-2023-39438. It is recommended to update to a version beyond 2.13.1 to mitigate the vulnerability.

Vulnerability/
CVE-2023-39438

high

8.1

CWE

862 424 863

15/8/2023

8/10/2024

CVE-2023-39438: Missing Authorization check allows certain operations on CLA Assistant data

Q: What does the vulnerability allow an attacker to do?

The vulnerability allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant, potentially exposing sensitive information.

First published: Tue Aug 15 2023(Updated: )

A missing authorization check allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant by executing specific additional steps. This allows an arbitrary authenticated user to read CLA information including information of the persons who signed them as well as custom fields the CLA requester had configured. In addition, an arbitrary authenticated user can update or delete the CLA-configuration for repositories or organizations using CLA-assistant. The stored access tokens for GitHub are not affected, as these are redacted from the API-responses.

Credit: cna@sap.com cna@sap.com

Affected Software	Affected Version	How to fix
Sap Contributor License Agreement Assistant	<2.13.1

Never miss a vulnerability like this again

Reference Links

https://github.com/cla-assistant/cla-assistant/security/advisories/GHSA-gw8p-frwv-25gh

Frequently Asked Questions

What is the vulnerability ID for this issue?
The vulnerability ID is CVE-2023-39438.
What is the severity of CVE-2023-39438?
The severity of CVE-2023-39438 is high with a CVSS score of 8.1.
Which software is affected by CVE-2023-39438?
The CLA-assistant software with versions up to exclusive 2.13.1 is affected by CVE-2023-39438.
What does the vulnerability allow an attacker to do?
The vulnerability allows an arbitrary authenticated user to perform certain operations through the API of CLA-assistant, potentially exposing sensitive information.
Is there a fix available for CVE-2023-39438?
Yes, a fix is available for CVE-2023-39438. It is recommended to update to a version beyond 2.13.1 to mitigate the vulnerability.

collector/nvd-index
agent/author
agent/type
agent/softwarecombine
agent/severity
agent/weakness
agent/references
agent/title
agent/description
agent/event
agent/first-publish-date
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/tags
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
vendor/sap
canonical/sap contributor license agreement assistant

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.