CVE-2022-21677
on github
Published
Severity
CVSS v3:
5.3 MEDIUM
CVSS v2:
5 MEDIUM
Description
Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group's members visibility set to public as well. However, a group's visibility and the group's members visibility can be configured such that it is restricted to logged on users, members of the group or staff users. A vulnerability has been discovered in versions prior to 2.7.13 and 2.8.0.beta11 where the group advanced search option does not respect the group's visibility and members visibility level. As such, a group with restricted visibility or members visibility can be revealed through search with the right search option. This issue is patched in `stable` version 2.7.13, `beta` version 2.8.0.beta11, and `tests-passed` version 2.8.0.beta11 versions of Discourse. There are no workarounds aside from upgrading.
References
Configurations
CPE23 | Version Start | Version End | Exact Version |
---|---|---|---|
cpe:2.3:a:discourse:discourse:2.8.0:beta1:*:*:*:*:*:* | n/a | n/a | 2.8.0 |
cpe:2.3:a:discourse:discourse:2.8.0:beta2:*:*:*:*:*:* | n/a | n/a | 2.8.0 |
cpe:2.3:a:discourse:discourse:2.8.0:beta3:*:*:*:*:*:* | n/a | n/a | 2.8.0 |
cpe:2.3:a:discourse:discourse:2.8.0:beta4:*:*:*:*:*:* | n/a | n/a | 2.8.0 |
cpe:2.3:a:discourse:discourse:2.8.0:beta5:*:*:*:*:*:* | n/a | n/a | 2.8.0 |
cpe:2.3:a:discourse:discourse:2.8.0:beta6:*:*:*:*:*:* | n/a | n/a | 2.8.0 |
cpe:2.3:a:discourse:discourse:2.8.0:beta7:*:*:*:*:*:* | n/a | n/a | 2.8.0 |
cpe:2.3:a:discourse:discourse:2.8.0:beta9:*:*:*:*:*:* | n/a | n/a | 2.8.0 |
cpe:2.3:a:discourse:discourse:2.8.0:beta10:*:*:*:*:*:* | n/a | n/a | 2.8.0 |
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:* | n/a | 2.7.12 (including) | * |
cpe:2.3:a:discourse:discourse:2.8.0:beta8:*:*:*:*:*:* | n/a | n/a | 2.8.0 |