Vulnerability Details : CVE-2022-41944
Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the topic title, it will therefore have been exposed. This issue is patched in stable version 2.8.12, beta version 2.9.0.beta13, and tests-passed version 2.9.0.beta13. There are no workarounds available.
Vulnerability category: Information leak
Products affected by CVE-2022-41944
- cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta8:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta9:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta10:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta11:*:*:*:*:*:*
- cpe:2.3:a:discourse:discourse:2.9.0:beta12:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41944
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41944
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST | |
3.5
|
LOW | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
2.1
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2022-41944
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-41944
-
https://github.com/discourse/discourse/security/advisories/GHSA-354r-jpj5-53c2
Users can see notifications for topics they no longer have access to · Advisory · discourse/discourse · GitHubThird Party Advisory
-
https://github.com/discourse/discourse/commit/c6ee28ec756436cc9ce154dd2c8e4c441f92f693
SECURITY: Hide notifications for inaccessible topics (#19208) · discourse/discourse@c6ee28e · GitHubPatch;Third Party Advisory
Jump to