Miggo Logo
Miggo Vulnerability Database
CVE-2023-47634

CVE-2023-47634:
Race condition in Endorsements

3.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-47634
GHSA ID
GHSA-r275-j57c-7mf2
EPSS Score
0.51802%
CWE
CWE-362
Published
2/20/2024
Updated
2/14/2025
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
decidimrubygems>= 0.10.0, < 0.26.90.26.9
decidimrubygems>= 0.27.0, < 0.27.50.27.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper handling of concurrent endorsement creation requests and inconsistent null/0 values for user_group_id. The key fixes were: 1) Adding RecordNotUnique exception handling in EndorseResource#call to catch race conditions, 2) Standardizing on 0 instead of nil for user_group_id in queries to enforce unique constraints, and 3) Updating endorsement checks to match the 0 default value. These changes indicate the original functions lacked proper synchronization and consistent unique constraint enforcement.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * r*** *on*ition in t** *n*ors*m*nt o* r*sour**s (*or inst*n**, * propos*l) *llows * us*r to m*k* mor* t**n on** *n*ors*m*nt. To *xploit t*is vuln*r**ility, t** r*qu*st to s*t *n *n*ors*m*nt must ** s*nt s*v*r*l tim*s in p*r*ll*l. ###

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* *on*urr*nt *n*ors*m*nt *r**tion r*qu*sts *n* in*onsist*nt null/* v*lu*s *or us*r_*roup_i*. T** k*y *ix*s w*r*: *) ***in* R**or*NotUniqu* *x**ption **n*lin* in *n*ors*R*sour**#**ll to **t** r*** *on*