Vulnerability Details : CVE-2022-39378
Discourse is a platform for community discussion. Under certain conditions, a user badge may have been awarded based on a user's activity in a topic with restricted access. Before this vulnerability was disclosed, the topic title of the topic associated with the user badge may be viewed by any user. If there are sensitive information in the topic title, it will therefore have been exposed. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are currently no known workarounds available.
Vulnerability category: Information leak
Products affected by CVE-2022-39378
- cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta8:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta9:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-39378
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 31 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-39378
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2022-39378
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2022-39378
-
https://github.com/discourse/discourse/security/advisories/GHSA-2gvq-27h6-4h5f
Displaying user badges can leak topic titles to users that have no access to the topic · Advisory · discourse/discourse · GitHubThird Party Advisory
Jump to