Skip to content

Category group permissions leaked to users that cannot edit a category

Moderate
jomaxro published GHSA-34xr-ff4w-mcpf Apr 14, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.2; beta <= 2.9.0.beta3; tests-passed <= 2.9.0.beta3

Patched versions

stable >= 2.8.3; beta >= 2.9.0.beta4; tests-passed >= 2.9.0.beta4

Description

Impact

A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the information should only be available to the users that can manage a category.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse

Workarounds

There are no workarounds for this problem.

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE ID

CVE-2022-24850

Weaknesses

No CWEs