CVE-2024-39344 is a vulnerability identified in the Docusign API package version 8.142.14 for Salesforce, specifically involving the Apttus_DocuApi__DocusignAuthentication__mdt metadata object. This object, installed via the Salesforce marketplace, stores sensitive configuration information, including keys, in a manner that is accessible to all users by default. Because of this misconfiguration, unauthorized users can access fields within this object to retrieve components that can be combined to forge a valid session token for the Docusign API. The forged session corresponds to an administrator-level service account, which typically has broad permissions, including the ability to re-authenticate as other users through the same authorization flow. This effectively allows an attacker to impersonate any user within the Docusign environment, leading to a complete compromise of the account. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and has a CVSS 3.1 base score of 8.1, indicating high severity. The attack vector is network-based with low attack complexity, requiring only low privileges and no user interaction. Although no public exploits have been reported yet, the potential impact is significant due to the administrative privileges involved. The vulnerability affects organizations using the specified Docusign API package integrated with Salesforce, especially those who have not altered the default access settings of the metadata object.

The impact of CVE-2024-39344 is substantial for organizations using the vulnerable Docusign API package within Salesforce. Exploitation can lead to unauthorized disclosure of sensitive authentication keys, enabling attackers to create valid administrator-level sessions. This results in a complete compromise of the Docusign account, including the ability to impersonate any user and perform actions on their behalf. Such access can lead to data breaches, unauthorized document signing, manipulation of contracts, and disruption of business processes reliant on Docusign workflows. The compromise of administrator service accounts also undermines trust in the integrity and confidentiality of electronic signature processes. Organizations may face legal, financial, and reputational damage if sensitive contracts or personal data are exposed or altered. Given the integration with Salesforce, a widely used CRM platform, the scope of affected systems can be broad, impacting multiple industries globally.

To mitigate CVE-2024-39344, organizations should immediately review and restrict access permissions to the Apttus_DocuApi__DocusignAuthentication__mdt metadata object within Salesforce. Specifically, ensure that this object is not accessible to all users by default and limit access strictly to trusted administrators. Implement the principle of least privilege for all users and service accounts interacting with the Docusign API package. Monitor and audit access logs for any unusual activity related to this object or Docusign API sessions. If possible, update or patch the Docusign API package to a version that addresses this vulnerability once released by the vendor. Additionally, rotate any exposed keys or credentials associated with the Docusign integration. Employ multi-factor authentication (MFA) for administrator accounts and consider using Salesforce Shield or similar tools to enhance monitoring and data protection. Finally, educate administrators and developers about secure configuration practices for third-party packages installed via marketplaces.