Skip to content

Invite bypasses user approval

Low
jomaxro published GHSA-x7jh-mx5q-6f9q Jun 3, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.3; beta <= 2.9.0.beta4; tests-passed <= 2.9.0.beta4

Patched versions

stable >= 2.8.4; beta >= 2.9.0.beta5; tests-passed >= 2.9.0.beta5

Description

Impact

Inviting users on sites that use SSO could bypass the must_approve_users check and invites by staff are always approved automatically.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse

Workarounds

Disable invites. Administrators can increase min_trust_level_to_allow_invite to reduce the attack surface to more trusted users (e.g. trust level 4).

Severity

Low

CVE ID

CVE-2022-31025

Weaknesses

No CWEs