Skip to content

Group SMTP user emails are exposed in CC email header

Low
jomaxro published GHSA-8p7g-3wm6-p3rm Jan 5, 2023

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.13; beta <= 3.0.0.beta15; tests-passed <= 3.0.0.beta15

Patched versions

stable >= 2.8.14; beta >= 3.0.0.beta16; tests-passed >= 3.0.0.beta16

Description

Impact

Recipients of a group SMTP email could see the email addresses of all other users inside the group SMTP topic. Most of the time this is not an issue as they are likely already familiar with one another's email addresses.

Patches

Patched in latest version. The fix for this is that when we are sending emails out via group SMTP, if we are sending them to non-staged users we want to mask those emails with BCC, just so we don't expose them to anyone we shouldn't. Staged users are ones that have likely only interacted with the group via email, and will likely include other people who were CC'd on the original email to the group.

Workarounds

Disable group SMTP for any groups that have it enabled.

Severity

Low
3.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2022-46168

Weaknesses