CVE-2024-39344

HIGH

Docusign API package 8.142.14 - Info Disclosure

Title source: llm

Description

An issue was discovered in the Docusign API package 8.142.14 for Salesforce. The Apttus_DocuApi__DocusignAuthentication__mdt object is installed via the marketplace from this package and stores some configuration information in a manner that could be compromised. With the default settings when installed for all users, the object can be accessible and (via its fields) could disclose some keys. These disclosed components can be combined to create a valid session via the Docusign API. This will generally lead to a complete compromise of the Docusign account because the session is for an administrator service account and may have permission to re-authenticate as specific users with the same authorization flow.

References (2)

Core 2

Core References

Various Sources

https://deneyed.com/blog/conga/

Various Sources

https://login.salesforce.com/packaging/installPackage.apexp?p0=04t6S000000YUDxQAO

Scores

CVSS v3 8.1

EPSS 0.0050

EPSS Percentile 38.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-200

Status published

Published Aug 21, 2024

Tracked Since Feb 18, 2026