Recently, a security vulnerability (CVE-2023-39438) has been discovered and reported in the CLA-assistant application. This vulnerability allows an arbitrary authenticated user to perform certain operations such as reading or manipulating CLA information without proper authorization. In this long-read post, we will dig into the details of this vulnerability, including the code snippet that causes the issue, links to the original references, and information on how to exploit this vulnerability.
Description
CLA-assistant is a popular tool used by open-source projects for managing Contributor License Agreements (CLAs). It integrates with GitHub and provides a simple way for contributors to sign a CLA before their pull requests can be merged.
The vulnerability CVE-2023-39438 concerns a missing authorization check in the API, which allows an arbitrary authenticated user (i.e., any user with valid login credentials) to perform unauthorized actions such as:
- Reading confidential CLA information, including the personal data of the signatories and any custom fields defined by the CLA requester
- Updating or deleting CLA-configuration settings for repositories or organizations using CLA-assistant.
Fortunately, the stored access tokens for GitHub are not compromised, since they are redacted from the API responses. However, the vulnerability still poses a significant risk to projects that rely on CLA-assistant for managing legal agreements.
Code Snippet
The vulnerability is caused by missing authorization checks in the API endpoints. For example, consider the following code snippet which handles the retrieval of CLA information:
app.get('/cla/get', async function(req, res) {
try {
const claData = await cla.get(req.query);
res.json(claData);
} catch (error) {
res.status(500).json({ error: error.message });
}
});
In this code, cla.get() is called with the query parameters from the request without checking whether the user making the request is authorized to access that particular CLA data. A similar lack of authorization checks can be observed in other API endpoints responsible for updating or deleting CLA configurations.
Exploit Details
To exploit this vulnerability, an attacker needs to be an authenticated user of CLA-assistant. Once authenticated, they can craft malicious API calls to access or manipulate sensitive CLA information that they were not intended to access. An example of such an API call would be:
GET https://cla-assistant.io/cla/get?repoId=<REPO_ID>;
Where <REPO_ID> is replaced with the targeted repository's ID. Any arbitrary authenticated user can make this request to read the CLA information pertaining to that repository.
Original References
The vulnerability was reported on the CLA-assistant GitHub page as an issue. You can find more details, including a discussion between the developers and the reporter, here:
- Issue #573: Missing authorization checks
Additionally, the CVE entry for this vulnerability can be found in the CVE List
Conclusion
As a user or maintainer of projects that rely on CLA-assistant, it is crucial to stay updated on security vulnerabilities like CVE-2023-39438. Ensure that you monitor the relevant repositories for updates and patches. In this case, it would be wise to keep an eye on the CLA-assistant GitHub repository for any changes related to this vulnerability.
Timeline
Published on: 08/15/2023 17:15:00 UTC
Last modified on: 08/22/2023 17:32:00 UTC