CVE-2022-21678

Discourse is an open source discussion platform. Prior to version 2.8.0.beta11 in the `tests-passed` branch, version 2.8.0.beta11 in the `beta` branch, and version 2.7.13 in the `stable` branch, the bios of users who made their profiles private were still visible in the `<meta>` tags on their users' pages. The problem is patched in `tests-passed` version 2.8.0.beta11, `beta` version 2.8.0.beta11, and `stable` version 2.7.13 of Discourse.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/discourse/discourse/commit/5e2e178fcfb490c37b9f8bb9f737185441b1d6de	Patch Third Party Advisory
https://github.com/discourse/discourse/commit/c0bb775f3f35b1b0d04a5b2a984f57c3e39f9e6c	Patch Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-jwww-46gv-564m	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta1::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta10::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta2::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta3::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta4::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta5::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta6::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta7::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta8::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta9::::::

History

24 Jul 2023, 13:54

Type	Values Removed	Values Added
CWE	~~CWE-200~~	CWE-863

Information

Published : 2022-01-13 18:15

Updated : 2024-02-28 18:48

NVD link : CVE-2022-21678

Mitre link : CVE-2022-21678

CVE.ORG link : CVE-2022-21678

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-863

Incorrect Authorization

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2022-21678", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-01-13T18:15:08.233", "references": [{"url": "https://github.com/discourse/discourse/commit/5e2e178fcfb490c37b9f8bb9f737185441b1d6de", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/discourse/discourse/commit/c0bb775f3f35b1b0d04a5b2a984f57c3e39f9e6c", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/discourse/discourse/security/advisories/GHSA-jwww-46gv-564m", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Prior to version 2.8.0.beta11 in the `tests-passed` branch, version 2.8.0.beta11 in the `beta` branch, and version 2.7.13 in the `stable` branch, the bios of users who made their profiles private were still visible in the `<meta>` tags on their users' pages. The problem is patched in `tests-passed` version 2.8.0.beta11, `beta` version 2.8.0.beta11, and `stable` version 2.7.13 of Discourse."}, {"lang": "es", "value": "Discourse es una plataforma de debate de c\u00f3digo abierto. En versiones anteriores a 2.8.0.beta11 en la rama \"tests-passed\", la versi\u00f3n 2.8.0.beta11 en la rama \"beta\", y la versi\u00f3n 2.7.13 en la rama \"stable\", las biograf\u00edas de los usuarios que hac\u00edan sus perfiles privados segu\u00edan siendo visibles en las etiquetas \"(meta)\" de sus p\u00e1ginas de usuario. El problema est\u00e1 parcheado en la versi\u00f3n 2.8.0.beta11 de \"tests-passed\", la versi\u00f3n 2.8.0.beta11 de \"beta\" y la versi\u00f3n 2.7.13 de \"stable\" de Discourse"}], "lastModified": "2023-07-24T13:54:24.070", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "131D6FC3-2C60-4524-9B4E-F8316312A606", "versionEndExcluding": "2.7.13"}, {"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E7F8AC4-35D1-45E5-8A3A-B0205000A5D3"}, {"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta10:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A24507D-6D4B-4992-BCFE-232AF3BFCC30"}, {"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9AE12FE-0396-4843-8D30-D8C44FAE01DA"}, {"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F101AEAB-4FB7-4BE3-931B-595702D616C7"}, {"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6878B7F-2691-4D3F-8116-CB282FDAAAC7"}, {"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76EABAB9-BEA4-48D4-ADBA-D00746B29C52"}, {"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82A255A2-4658-41AD-A4DE-A7F8D018028D"}, {"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E5804585-2EA4-4677-8EC1-5F561D5C7D7A"}, {"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "082A6871-080A-4AA7-AF4A-D664EA46488A"}, {"criteria": "cpe:2.3:a:discourse:discourse:2.8.0:beta9:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A280205-A2DC-4E30-937B-5564C779FD5A"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}