CVE-2022-24850

Published: Apr 14, 2022Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Discourse is an open source platform for community discussion. A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the information should only be available to the users that can manage a category. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no workarounds for this problem.

Affected (4)

Products: Discourse: Discourse

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Before 2.8.2
Discourse Discourse	Version 2.9.0 beta1
Discourse Discourse	Version 2.9.0 beta2
Discourse Discourse	Version 2.9.0 beta3

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (2)

https://github.com/discourse/discourse/security/advisories/GHSA-34xr-ff4w-mcpf

Source: security-advisories@github.com

Third Party Advisory

https://github.com/discourse/discourse/security/advisories/GHSA-34xr-ff4w-mcpf

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.