Skip to content

Group advanced search option may leak group and group's members visibility

Moderate
jomaxro published GHSA-768r-ppv4-5r27 Jan 14, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.7.12; beta <= 2.8.0.beta10; tests-passed <= 2.8.0.beta10

Patched versions

stable > 2.7.12; beta > 2.8.0.beta10; tests-passed > 2.8.0.beta10

Description

Impact

Groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group's members visibility set to public as well. However, a group's visibility and the group's members visibility can be configured such that it is restricted to logged on users, members of the group or staff users. A vulnerability has been discovered where the group advanced search option does not respect the group's visibility and members visibility level. As such, a group with restricted visibility or members visibility can be revealed through search with the right search option.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workarounds

None.

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2022-21677

Weaknesses

No CWEs

Credits