CVE-2023-48220: 
Ruby vulnerability analysis and mitigation

CVE-2023-48220 affects the devise_invitable gem's invitation feature, starting from version 0.4.rc3 and prior to version 2.0.9. The vulnerability allows users to accept invitations for an unlimited amount of time through the password reset functionality, bypassing the intended expiration period. This issue creates vulnerable dependencies in decidim, decidim-admin, and decidim-system gems from version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 (GitHub Advisory).

The vulnerability stems from a design flaw in the devise_invitable gem where the password reset functionality always accepts pending invitations without validating the invitation expiry period. The gem only checks if the user has been invited but does not verify if the pending invitation is still valid according to the invite_for configuration. While Decidim sets this configuration to 2 weeks, the validation is bypassed due to this implementation issue. The vulnerability has been assigned a CVSS v3.1 score of 7.4 (HIGH) by NIST and 5.7 (MEDIUM) by GitHub, with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (NVD).

The vulnerability allows malicious actors to accept invitations even after they have expired, potentially leading to unauthorized access to systems that rely on the invitation expiry mechanism for security. This could compromise the confidentiality and integrity of the affected systems by allowing users to gain access to accounts and resources after their invitation period should have expired (GitHub Advisory).

The primary mitigation is to update devise_invitable to version 2.0.9 or above. For Decidim users, updating to versions 0.26.9, 0.27.5, or 0.28.0 will resolve the vulnerability. As a temporary workaround, organizations can cancel existing invitations directly from the database by running the command 'Decidim::User.invitation_not_accepted.update_all(invitation_token: nil)' from the Rails console (GitHub Advisory).

The vulnerability was discovered during City of Helsinki's security audit against Decidim 0.27, conducted by Deloitte Finland in September 2023. The issue was responsibly disclosed and patches were released in December 2023 (GitHub Advisory).