ruby-advisory-db/gems/decidim-comments/GHSA-ghmh-q25g-gxxx.yml at 8d0e4a2a6a45f29c7c4c5060c6a380c66595c8cd · rubysec/ruby-advisory-db · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
---
gem: decidim-comments
ghsa: ghmh-q25g-gxxx
url: https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx
title: Decidim's comments API allows access to all commentable resources
date: 2026-04-14
description: |
  ### Impact

  The root level `commentable` field in the API allows access to all
  commentable resources within the platform, without any permission
  checks. All Decidim instances are impacted that have not secured
  the `/api` endpoint. The `/api` endpoint is publicly available
  with the default configuration.

  ### Patches

  Not available

  ### Workarounds

  To mitigate the issue, you can limit the scope to only authenticated
  users by limiting access to the `/api` endpoint. This would require
  custom code or installing the 3rd party module `Decidim::Apiauth`.

  With custom code, the `/api` endpoint can be limited to only
  authenticated users with the following code (needs to run during
  application initialization):

  ```ruby
  # Within your application
  # config/initializers/limit_api_access.rb

  module LimitApiAccess
    extend ActiveSupport::Concern

    included do
      prepend_before_action do |controller|
        unless controller.send(:user_signed_in?)
          render plain: I18n.t("actions.login_before_access",
            scope: "decidim.core"), status: :unauthorized
        end
      end
    end
  end

  Rails.application.config.to_prepare do
    Decidim::Api::ApplicationController.include(LimitApiAccess)
  end
  ```

  Please note that this would only disable public access to the API
  and all authenticated users would be still able to exploit the
  vulnerability. This may be sufficient for some installations,
  but not for all.

  Another workaround is to limit the availability of the `/api`
  endpoint to only trusted ranges of IPs that need to access the
  API. The following Nginx configuration would help limiting the
  API access to only specific IPs:

  ```
  location /api {
    allow 192.168.1.100;
    allow 192.168.1.101;
    deny all;
  }
  ```

  The same configuration can be also used without the `allow`
  statements to disable all traffic to the the `/api` endpoint.

  When considering a workaround and the seriousness of the vulnerability,
  please consider the nature of the platform. If the platform is primarily
  serving public data, this vulnerability is not serious by its nature.
  If the platform is protecting some resources, e.g. inside private
  participation spaces, the vulnerability may expose some data to
  the attacker that is not meant public.

  If you have enabled the organization setting "Force users to
  authenticate before access organization", the scope of this
  vulnerability is limited to the users who are allowed to log in
  to the Decidim platform. This setting was introduced in version
  0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.
cvss_v3: 7.5
unaffected_versions:
  - "< 0.0.1"
patched_versions:
  - "~> 0.30.5"
  - ">= 0.31.1"
related:
  url:
    - https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx
    - https://github.com/advisories/GHSA-ghmh-q25g-gxxx