Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2022-21677
HistoryJan 14, 2022 - 5:15 p.m.

CVE-2022-21677

2022-01-1417:15:13
CWE-200
[email protected]
web.nvd.nist.gov
34
discourse
cve-2022-21677
group visibility
security vulnerability
open source
discussion platform
advanced search
upgrade required

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.2%

JSON

Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group’s members visibility set to public as well. However, a group’s visibility and the group’s members visibility can be configured such that it is restricted to logged on users, members of the group or staff users. A vulnerability has been discovered in versions prior to 2.7.13 and 2.8.0.beta11 where the group advanced search option does not respect the group’s visibility and members visibility level. As such, a group with restricted visibility or members visibility can be revealed through search with the right search option. This issue is patched in stable version 2.7.13, beta version 2.8.0.beta11, and tests-passed version 2.8.0.beta11 versions of Discourse. There are no workarounds aside from upgrading.

Affected configurations

Vulners
NVD
Node
discoursediscourseRange<2.7.13
OR
discoursediscourseRange<2.8.0.beta11
VendorProductVersionCPE
discoursediscourse*cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
discoursediscourse*cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "discourse",
    "vendor": "discourse",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.7.13"
      },
      {
        "status": "affected",
        "version": "< 2.8.0.beta11"
      }
    ]
  }
]

Related

osv 2
cvelist 1
cnvd 1
prion 1
nvd 1
openvas 2
osv
osv
BIT-discourse-2022-21677
2024-03-06 11:08:07
CVE-2022-21677
2022-01-14 17:15:13
cvelist
cvelist
CVE-2022-21677 Group advanced search option may leak group and group's members visibility
2022-01-14 16:45:17
cnvd
cnvd
Discourse Information Disclosure Vulnerability (CNVD-2022-05503)
2022-01-18 00:00:00
prion
prion
Spoofing
2022-01-14 17:15:00
nvd
nvd
CVE-2022-21677
2022-01-14 17:15:13
openvas
openvas
Discourse < 2.7.13 Multiple Vulnerabilities
2022-01-11 00:00:00
Discourse 2.8.x < 2.8.0.beta11 Multiple Vulnerabilities
2022-01-11 00:00:00

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.2%

JSON
Related for CVE-2022-21677
osv2cvelist1cnvd1prion1nvd1openvas2