CVE-2024-39344

Name of the Vulnerable Software and Affected Versions Docusign API package version 8.142.14 for Salesforce

Description An issue was discovered in the Docusign API package for Salesforce, where the Apttus DocuApi DocusignAuthentication mdt object stores configuration information in a manner that could be compromised. With default settings, the object can be accessible, disclosing keys that can be combined to create a valid session via the Docusign API. This can lead to a complete compromise of the Docusign account, as the session is for an administrator service account and may have permission to re-authenticate as specific users.

Recommendations For Docusign API package version 8.142.14, consider restricting access to the Apttus DocuApi DocusignAuthentication mdt object to minimize the risk of exploitation. As a temporary workaround, review and secure the configuration information stored by this object to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.