Back

CVE-2024-39344

Aug. 21, 2024, 5:25 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Docusign API package for Salesforce

  • 8.142.14

Source

cve@mitre.org

Tags

cve@mitre.org
2024-08-21
CVE-2024-39344

CVE-2024-39344 details

Published : Aug. 21, 2024, 4:15 p.m.
Last Modified : Aug. 21, 2024, 5:25 p.m.

Description

An issue was discovered in the Docusign API package 8.142.14 for Salesforce. The Apttus_DocuApi__DocusignAuthentication__mdt object is installed via the marketplace from this package and stores some configuration information in a manner that could be compromised. With the default settings when installed for all users, the object can be accessible and (via its fields) could disclose some keys. These disclosed components can be combined to create a valid session via the Docusign API. This will generally lead to a complete compromise of the Docusign account because the session is for an administrator service account and may have permission to re-authenticate as specific users with the same authorization flow.

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description

References

URL Source
https://deneyed.com/blog/conga/ cve@mitre.org
https://login.salesforce.com/packaging/installPackage.apexp?p0=04t6S000000YUDxQAO cve@mitre.org
This website uses the NVD API, but is not approved or certified by it.