Lucene search

GoogleOSV:CVE-2023-23620

HistoryJan 28, 2023 - 12:15 a.m.

CVE-2023-23620

2023-01-2800:15:09

Google

osv.dev

discourse

discussion platform

unauthorized access

restricted tags

patched

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

27.0%

JSON

Discourse is an open-source discussion platform. Prior to version 3.0.1 on the stable branch and 3.1.0.beta2 on the beta and tests-passed branches, the contents of latest/top routes for restricted tags can be accessed by unauthorized users. This issue is patched in version 3.0.1 on the stable branch and 3.1.0.beta2 on the beta and tests-passed branches. There are no known workarounds.

CPENameOperatorVersion
discourseeq2.9.0.beta5
discourseeq1.6.0.beta4
discourseeq0.8.4
discourseeq2.9.0.beta4
discourseeq1.6.0.beta9
discourseeq1.2.0.beta4
discourseeq1.9.0.beta2
discourseeq2.4.0.beta7
discourseeq2.8.0.beta7
discourseeq2.9.0.beta1

Name	Operator	Version
discourse	eq	2.9.0.beta5
discourse	eq	1.6.0.beta4
discourse	eq	0.8.4
discourse	eq	2.9.0.beta4
discourse	eq	1.6.0.beta9
discourse	eq	1.2.0.beta4
discourse	eq	1.9.0.beta2
discourse	eq	2.4.0.beta7
discourse	eq	2.8.0.beta7
discourse	eq	2.9.0.beta1

Rows per page:

1-10 of 2721

References

github.com/discourse/discourse/commit/105fee978d73b0ec23ff814a09d1c0c9ace95164

github.com/discourse/discourse/pull/20004

github.com/discourse/discourse/security/advisories/GHSA-hvj9-g84x-5prx

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

27.0%

JSON

Related for OSV:CVE-2023-23620