VDB
EN
MEDIUM 4.9

GHSA-86fh-w43w-338c

Decidim: Verification admins can access supplied IDs from other organizations

상세

## Description

The verification admin mutation flow allows accessing, verifying, and rejecting participants records from another tenant.

## Technical description

The verification admin controllers loads pending_authorization_id with a raw `Authorization.find(...)` and then authorizes the record without checking whether it belongs to current_organization.

Reproduction steps:

1. An org2 participant uploads their ID:

<img width="2184" height="1288" alt="decidim-verification-01" src="https://github.com/user-attachments/assets/c6713454-c787-4795-b852-3c2c672358d6" />

2. An admin from another organisation, in this case org1, is able to open the ID from org2 by opening request 35, e.g `http://localhost:3001/admin/id_documents/pending_authorizations/35/confirmations/new`

<img width="1539" height="1037" alt="decidim-verification-02" src="https://github.com/user-attachments/assets/6ed646de-a501-4964-8467-013ada55ce2d" />

3. The admin then approves this request by looking up the ID in the picture (not shown in this image, but a real ID would expose this) <img width="1542" height="652" alt="decidim-verification-03" src="https://github.com/user-attachments/assets/c7ee5bea-3fa2-43d9-8330-8d834f34a9af" />

4. Now the request has been approved, which can be seen from the org2 participant authorizations page:

<img width="2279" height="720" alt="decidim-verification-04" src="https://github.com/user-attachments/assets/55ee1bab-d396-4e0f-803f-21dc31a2c125" />

### Impact

A tenant admin can access, reject or approve another tenant's `id_documents` requests.

### Patches

See https://github.com/decidim/decidim/pull/16666

### Workarounds

Disable the "Identity documents" verification

### Reference

OWASP A01:2021 Broken Access Control

### Credits

This issue was discovered in a security audit organized by the [Decidim Association](https://decidim.org) and made by [Radically Open Security](https://www.radicallyopensecurity.com/) against Decidim financed by [NGI](https://ngi.eu/).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

RubyGems / decidim-verifications
최초 영향 버전: 0 수정 버전: 0.30.9
수정 bundle update decidim-verifications
RubyGems / decidim-verifications
최초 영향 버전: 0.31.0.rc1 수정 버전: 0.31.5
수정 bundle update decidim-verifications
RubyGems / decidim-verifications
최초 영향 버전: 0.32.0.rc1 수정 버전: 0.32.0
수정 bundle update decidim-verifications

참고