CVE-2023-39438

Name of the Vulnerable Software and Affected Versions CLA-assistant (affected versions not specified)

Description A missing authorization check in the CLA-assistant API allows an arbitrary authenticated user to perform certain operations by executing specific additional steps. This enables the user to read CLA information, including details of persons who signed them and custom fields configured by the CLA requester. Furthermore, an arbitrary authenticated user can update or delete the CLA-configuration for repositories or organizations using CLA-assistant. The stored access tokens for GitHub are not affected, as these are redacted from the API-responses.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.