CVE-2024-24755

discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom fields to remain secret.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse-group-membership-ip-block/commit/b394d61b0bdfd18a2d8310aa5cf26cccf8bd31c1	Patch
https://github.com/discourse/discourse-group-membership-ip-block/security/advisories/GHSA-r38c-cp8w-664m	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:discourse:group_membership_ip_blocks:-:*:*:*:*:*:*:*

History

09 Feb 2024, 19:47

Type	Values Removed	Values Added
First Time		Discourse Discourse group Membership Ip Blocks
CWE	~~CWE-200~~	NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
CPE		cpe:2.3:a:discourse:group_membership_ip_blocks:-:::::::*
References	~~() https://github.com/discourse/discourse-group-membership-ip-block/security/advisories/GHSA-r38c-cp8w-664m -~~	() https://github.com/discourse/discourse-group-membership-ip-block/security/advisories/GHSA-r38c-cp8w-664m - Vendor Advisory
References	~~() https://github.com/discourse/discourse-group-membership-ip-block/commit/b394d61b0bdfd18a2d8310aa5cf26cccf8bd31c1 -~~	() https://github.com/discourse/discourse-group-membership-ip-block/commit/b394d61b0bdfd18a2d8310aa5cf26cccf8bd31c1 - Patch

01 Feb 2024, 22:39

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-01 22:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-24755

Mitre link : CVE-2024-24755

CVE.ORG link : CVE-2024-24755

JSON object : View

Products Affected

discourse

group_membership_ip_blocks

CWE

NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2024-24755", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-02-01T22:15:55.900", "references": [{"url": "https://github.com/discourse/discourse-group-membership-ip-block/commit/b394d61b0bdfd18a2d8310aa5cf26cccf8bd31c1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/discourse/discourse-group-membership-ip-block/security/advisories/GHSA-r38c-cp8w-664m", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom fields to remain secret."}, {"lang": "es", "value": "discourse-group-membership-ip-block es un complemento de discourse que agrega soporte para agregar usuarios a grupos seg\u00fan su direcci\u00f3n IP. discourse-group-membership-ip-block estaba enviando todos los campos personalizados del grupo al cliente, incluidos los campos personalizados del grupo de otros complementos que pueden esperar que sus campos personalizados permanezcan en secreto."}], "lastModified": "2024-02-09T19:47:59.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:group_membership_ip_blocks:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "492C9419-3CF5-418E-8FA1-78CA1C2B5E31"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}