CVE-2022-21677
Published Jan 14, 2022
Last updated 3 years ago
Overview
- Description
- Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group's members visibility set to public as well. However, a group's visibility and the group's members visibility can be configured such that it is restricted to logged on users, members of the group or staff users. A vulnerability has been discovered in versions prior to 2.7.13 and 2.8.0.beta11 where the group advanced search option does not respect the group's visibility and members visibility level. As such, a group with restricted visibility or members visibility can be revealed through search with the right search option. This issue is patched in `stable` version 2.7.13, `beta` version 2.8.0.beta11, and `tests-passed` version 2.8.0.beta11 versions of Discourse. There are no workarounds aside from upgrading.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 5.3
- Impact score
- 1.4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Primary
- Base score
- 5
- Impact score
- 2.9
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:N/A:N
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "90644EF6-8581-4711-A415-1886D3199768",
"versionEndIncluding": "2.7.12"
},
{
"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9E7F8AC4-35D1-45E5-8A3A-B0205000A5D3"
},
{
"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta10:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7A24507D-6D4B-4992-BCFE-232AF3BFCC30"
},
{
"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B9AE12FE-0396-4843-8D30-D8C44FAE01DA"
},
{
"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F101AEAB-4FB7-4BE3-931B-595702D616C7"
},
{
"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F6878B7F-2691-4D3F-8116-CB282FDAAAC7"
},
{
"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "76EABAB9-BEA4-48D4-ADBA-D00746B29C52"
},
{
"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta6:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "82A255A2-4658-41AD-A4DE-A7F8D018028D"
},
{
"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta7:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E5804585-2EA4-4677-8EC1-5F561D5C7D7A"
},
{
"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta8:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "082A6871-080A-4AA7-AF4A-D664EA46488A"
},
{
"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta9:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8A280205-A2DC-4E30-937B-5564C779FD5A"
}
],
"operator": "OR"
}
]
}
]