CVE-2023-34090: 
Ruby vulnerability analysis and mitigation

Decidim, a participatory democracy framework written in Ruby on Rails, was found to contain a sensitive data disclosure vulnerability (CVE-2023-34090). The vulnerability was discovered in versions 0.27.0 through 0.27.2 and was patched in version 0.27.3, released on May 11, 2023. The issue affected the platform's use of the Ransack library for filtering database collections, particularly in the public meetings functionality (GitHub Advisory).

The vulnerability stems from Decidim's use of the Ransack library for filtering database collections. By default, Ransack allows filtering on all data attributes and associations without proper restrictions. The vulnerability exists in the CalendarsController where user-controlled query filters can be passed through several classes before ultimately reaching a ransack sink in the ComponentCalendar class. This implementation allows attackers to perform brute force attacks with specially crafted query filters using Ransack's start(of) method (Security Lab).

The vulnerability allows an unauthenticated remote attacker to exfiltrate non-public data from the underlying database of a Decidim instance. This includes sensitive information such as user table data and meeting salts. The attack method allows for character-by-character brute forcing of database field values, making it possible to retrieve complete records over time (Security Lab).

The vulnerability was patched in Decidim version 0.27.3. For systems that cannot immediately update, the recommended workaround is to disable or unpublish all meetings components from the application (GitHub Advisory).