Decidim UUID Collision Vulnerability Leading to Data Leaks

A vulnerability in Decidim's private data export feature can cause data leaks due to UUID collisions. This issue is present in versions 0.30.0 prior to 0.30.4 and in versions 0.31.0.rc1 prior to 0.31.0. The vulnerability arises because the UUIDs are not generated securely, allowing for collisions that can misroute exported data between users. The problem was introduced in a previous update and can be replicated by manually creating exports with colliding UUIDs, demonstrating how one user could inadvertently receive another's private data.

Impact

Exploitation of this vulnerability can lead to unauthorized access to private data exports, causing data leaks between users.

Reproduction

The vulnerability can be reproduced by creating two private data exports with colliding UUIDs. This can be done by manually assigning UUIDs to the export files of two different users. When the first user downloads their export, they will receive the data from the second user instead, due to the UUID collision.

Remediation

Users can update to Decidim versions 0.30.4 or 0.31.0 to address this vulnerability.