Lucene search

GoogleOSV:BIT-DISCOURSE-2022-39356

HistoryMar 06, 2024 - 11:03 a.m.

BIT-discourse-2022-39356

2024-03-0611:03:50

Google

osv.dev

discourse

community

unauthorized access

upgrade

security

workaround

invitations

CVSS3

8.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

AI Score

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user’s email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with SiteSetting.max_invites_per_day = 0 or scope them to individual email addresses.

References

github.com/discourse/discourse/pull/18817

github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278

CVSS3

8.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

AI Score

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Related for OSV:BIT-DISCOURSE-2022-39356