Advisory for Conga Docusign API Package

July 2024, by Andrew Schoonmaker

CVE-2024-39344 - DNYD-2024-02
CVSS: 8.5 - AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

An issue was discovered in the widely used Docusign API package v8.142.14 for Salesforce. The Apttus_DocuApi__DocusignAuthentication__mdt object is installed via the marketplace from this package and stores some configuration information in a manner that could be compromised. With the default settings when installed for all users, the object can be accessible and (via its fields) could disclose private API keys. These disclosed components can be combined to create a valid session via the Docusign API. This will generally lead to a complete compromise of the Docusign account because the session is for an administrator service account and may have permission to re-authenticate as specific users with the same authorization flow. You can check out the dependency here: https://login.salesforce.com/packaging/installPackage.apexp?p0=04t6S000000YUDxQAO

Attackers can send a specially crafted HTTP request to examine the custom metadata record and read the information necessary to create an API session.