CVE-2023-45131

Discourse is an open source platform for community discussion. New chat messages can be read by making an unauthenticated POST request to MessageBus. This issue is patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-84gf-hhrc-9pw6	Vendor Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-84gf-hhrc-9pw6	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse:::::stable:::*
	cpe:2.3:a:discourse:discourse:3.2.0:beta1:::beta:::*

History

21 Nov 2024, 08:26

Type	Values Removed	Values Added
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-84gf-hhrc-9pw6 - Vendor Advisory~~	() https://github.com/discourse/discourse/security/advisories/GHSA-84gf-hhrc-9pw6 - Vendor Advisory

19 Oct 2023, 17:55

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/discourse/discourse/security/advisories/GHSA-84gf-hhrc-9pw6 -~~	(MISC) https://github.com/discourse/discourse/security/advisories/GHSA-84gf-hhrc-9pw6 - Vendor Advisory
CPE		cpe:2.3:a:discourse:discourse:3.2.0:beta1:::beta:::* cpe:2.3:a:discourse:discourse:::::stable:::*
CWE	~~CWE-200~~	NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Discourse Discourse discourse

16 Oct 2023, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-16 22:15

Updated : 2024-11-21 08:26

NVD link : CVE-2023-45131

Mitre link : CVE-2023-45131

CVE.ORG link : CVE-2023-45131

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2023-45131", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-16T22:15:12.650", "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-84gf-hhrc-9pw6", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/discourse/discourse/security/advisories/GHSA-84gf-hhrc-9pw6", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open source platform for community discussion. New chat messages can be read by making an unauthenticated POST request to MessageBus. This issue is patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Discourse es una plataforma de c\u00f3digo abierto para el debate comunitario. Los nuevos mensajes de chat se pueden leer realizando una solicitud POST no autenticada a MessageBus. Este problema se solucion\u00f3 en las versiones 3.1.1 stable y 3.2.0.beta2 de Discourse. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-11-21T08:26:24.310", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*", "vulnerable": true, "matchCriteriaId": "6AC25048-A9DA-4EB4-A05B-33B6348539CA", "versionEndIncluding": "3.1.1"}, {"criteria": "cpe:2.3:a:discourse:discourse:3.2.0:beta1:*:*:beta:*:*:*", "vulnerable": true, "matchCriteriaId": "1BFF647B-6CEF-43BF-BF5E-C82B557F78E2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}