GHSA-86fh-w43w-338c
Decidim: Verification admins can access supplied IDs from other organizations
상세
## Description
The verification admin mutation flow allows accessing, verifying, and rejecting participants records from another tenant.
## Technical description
The verification admin controllers loads pending_authorization_id with a raw `Authorization.find(...)` and then authorizes the record without checking whether it belongs to current_organization.
Reproduction steps:
1. An org2 participant uploads their ID:
<img width="2184" height="1288" alt="decidim-verification-01" src="https://github.com/user-attachments/assets/c6713454-c787-4795-b852-3c2c672358d6" />
2. An admin from another organisation, in this case org1, is able to open the ID from org2 by opening request 35, e.g `http://localhost:3001/admin/id_documents/pending_authorizations/35/confirmations/new`
<img width="1539" height="1037" alt="decidim-verification-02" src="https://github.com/user-attachments/assets/6ed646de-a501-4964-8467-013ada55ce2d" />
3. The admin then approves this request by looking up the ID in the picture (not shown in this image, but a real ID would expose this) <img width="1542" height="652" alt="decidim-verification-03" src="https://github.com/user-attachments/assets/c7ee5bea-3fa2-43d9-8330-8d834f34a9af" />
4. Now the request has been approved, which can be seen from the org2 participant authorizations page:
<img width="2279" height="720" alt="decidim-verification-04" src="https://github.com/user-attachments/assets/55ee1bab-d396-4e0f-803f-21dc31a2c125" />
### Impact
A tenant admin can access, reject or approve another tenant's `id_documents` requests.
### Patches
See https://github.com/decidim/decidim/pull/16666
### Workarounds
Disable the "Identity documents" verification
### Reference
OWASP A01:2021 Broken Access Control
### Credits
This issue was discovered in a security audit organized by the [Decidim Association](https://decidim.org) and made by [Radically Open Security](https://www.radicallyopensecurity.com/) against Decidim financed by [NGI](https://ngi.eu/).
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0.31.0.rc1 수정 버전: 0.31.5 bundle update decidim-verifications 0.32.0.rc1 수정 버전: 0.32.0 bundle update decidim-verifications