CVE-2022-46177

2023-01-0520:15:18

CWE-613

[email protected]

web.nvd.nist.gov

cve-2022-46177

discourse

security vulnerability

account takeover

email token

patch required

version upgrade

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.2%

JSON

Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 3.0.0.beta16 on the beta and tests-passed branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account’s primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an account takeover. This is however mitigated by the SiteSetting email_token_valid_hours which is currently 48 hours. Users should upgrade to versions 2.8.14 or 3.0.0.beta15 to receive a patch. As a workaround, lower email_token_valid_hours as needed.

Affected configurations

Vulners

NVD

Node

discoursediscourseRange<2.8.14

discoursediscourseRange2.9.0.beta0–3.0.0.beta16

VendorProductVersionCPE
discoursediscourse*cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
discoursediscourse*cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
discourse	discourse	*	cpe:2.3:a:discourse:discourse::::::::
discourse	discourse	*	cpe:2.3:a:discourse:discourse::::::::

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse",
    "versions": [
      {
        "version": "< 2.8.14",
        "status": "affected"
      },
      {
        "version": ">= 2.9.0.beta0, < 3.0.0.beta16",
        "status": "affected"
      }
    ]
  }
]