Lucene search

GitHub_MCVELIST:CVE-2024-24755

HistoryFeb 01, 2024 - 10:14 p.m.

CVE-2024-24755 discourse-group-membership-ip-block is exposing potentially sensitive custom fields

2024-02-0122:14:23

CWE-200

GitHub_M

www.cve.org

cve-2024-24755

ip address

group membership

custom fields

data exposure

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom fields to remain secret.

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse-group-membership-ip-block",
    "versions": [
      {
        "version": "< b394d61b0bdfd18a2d8310aa5cf26cccf8bd31c1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/discourse/discourse-group-membership-ip-block/commit/b394d61b0bdfd18a2d8310aa5cf26cccf8bd31c1

github.com/discourse/discourse-group-membership-ip-block/security/advisories/GHSA-r38c-cp8w-664m

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for CVELIST:CVE-2024-24755