CVE-2022-24804
Private group name exposure in discourse
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Discourse is an open source platform for community discussion. In stable versions prior to 2.8.3 and beta versions prior 2.9.0.beta4 erroneously expose groups. When a group with restricted visibility has been used to set the permissions of a category, the name of the group is leaked to any user that is able to see the category. To workaround the problem, a site administrator can remove groups with restricted visibility from any category's permissions setting.
Discourse es una plataforma de código abierto para el debate comunitario. En versiones estables anteriores a 2.8.3 y en versiones beta anteriores a 2.9.0.beta4, son expuestos erróneamente los grupos. Cuando ha sido usado un grupo con visibilidad restringida para establecer los permisos de una categoría, el nombre del grupo es filtrado a cualquier usuario que pueda visualizar la categoría. Para mitigar el problema, el administrador del sitio puede eliminar los grupos con visibilidad restringida de la configuración de permisos de cualquier categoría
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-10 CVE Reserved
- 2022-04-11 CVE Published
- 2024-08-03 CVE Updated
- 2024-11-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-276: Incorrect Default Permissions
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/discourse/discourse/security/advisories/GHSA-v4c9-6m9g-37ff | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/discourse/discourse/commit/0f7b9878ff3207ce20970f0517604793920bb3d2 | 2022-04-18 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Discourse Search vendor "Discourse" | Discourse Search vendor "Discourse" for product "Discourse" | < 2.8.3 Search vendor "Discourse" for product "Discourse" and version " < 2.8.3" | - |
Affected
| ||||||
Discourse Search vendor "Discourse" | Discourse Search vendor "Discourse" for product "Discourse" | 2.9.0 Search vendor "Discourse" for product "Discourse" and version "2.9.0" | beta1 |
Affected
| ||||||
Discourse Search vendor "Discourse" | Discourse Search vendor "Discourse" for product "Discourse" | 2.9.0 Search vendor "Discourse" for product "Discourse" and version "2.9.0" | beta2 |
Affected
| ||||||
Discourse Search vendor "Discourse" | Discourse Search vendor "Discourse" for product "Discourse" | 2.9.0 Search vendor "Discourse" for product "Discourse" and version "2.9.0" | beta3 |
Affected
|