cnvd - cnvd-2022-85324

CNVD-2022-85324

Vulnerability from cnvd - Published: 2022-12-06

Title

Discourse信息泄露漏洞

Description

Discourse是一套开源的社区讨论平台。该平台包括社区、电子邮件和聊天室等功能。 Discourse 2.8.13之前版本、2.9.0.beta14之前版本、2.9.0.tests-passed beta14之前的版本存在信息泄露漏洞。该漏洞源于应用对于敏感信息保护不足，攻击者利用该漏洞获取敏感信息。

Severity

低

Patch Name

Discourse信息泄露漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新：https://github.com/discourse/discourse/commit/84c83e8d4a1907f8a2972f0ab44b6402aa910c3b

Reference

https://github.com/discourse/discourse/security/advisories/GHSA-rqvq-94h8-p5wv

Impacted products

Name
['Discourse Discourse <2.8.13', 'Discourse Discourse <2.9.0.beta14', 'Discourse Discourse <2.9.0.tests-passed beta14']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-46150",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-46150"
    }
  },
  "description": "Discourse\u662f\u4e00\u5957\u5f00\u6e90\u7684\u793e\u533a\u8ba8\u8bba\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5305\u62ec\u793e\u533a\u3001\u7535\u5b50\u90ae\u4ef6\u548c\u804a\u5929\u5ba4\u7b49\u529f\u80fd\u3002\n\nDiscourse 2.8.13\u4e4b\u524d\u7248\u672c\u30012.9.0.beta14\u4e4b\u524d\u7248\u672c\u30012.9.0.tests-passed beta14\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u5bf9\u4e8e\u654f\u611f\u4fe1\u606f\u4fdd\u62a4\u4e0d\u8db3\uff0c\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1ahttps://github.com/discourse/discourse/commit/84c83e8d4a1907f8a2972f0ab44b6402aa910c3b",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-85324",
  "openTime": "2022-12-06",
  "patchDescription": "Discourse\u662f\u4e00\u5957\u5f00\u6e90\u7684\u793e\u533a\u8ba8\u8bba\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u5305\u62ec\u793e\u533a\u3001\u7535\u5b50\u90ae\u4ef6\u548c\u804a\u5929\u5ba4\u7b49\u529f\u80fd\u3002\r\n\r\nDiscourse 2.8.13\u4e4b\u524d\u7248\u672c\u30012.9.0.beta14\u4e4b\u524d\u7248\u672c\u30012.9.0.tests-passed beta14\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u5bf9\u4e8e\u654f\u611f\u4fe1\u606f\u4fdd\u62a4\u4e0d\u8db3\uff0c\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Discourse\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Discourse Discourse \u003c2.8.13",
      "Discourse Discourse \u003c2.9.0.beta14",
      "Discourse Discourse \u003c2.9.0.tests-passed beta14"
    ]
  },
  "referenceLink": "https://github.com/discourse/discourse/security/advisories/GHSA-rqvq-94h8-p5wv",
  "serverity": "\u4f4e",
  "submitTime": "2022-11-30",
  "title": "Discourse\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2022-46150 (GCVE-0-2022-46150)

Vulnerability from cvelistv5 – Published: 2022-11-29 00:00 – Updated: 2025-04-23 16:33

Summary

Discourse is an open-source discussion platform. Prior to version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches, unauthorized users may learn of the existence of hidden tags and that they have been applied to topics that they have access to. This issue is patched in version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches. As a workaround, use the `disable_email` site setting to disable all emails to non-staff users.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/discourse/discourse/security/a…
	https://github.com/discourse/discourse/commit/84c…

Impacted products

	Vendor	Product	Version
	discourse	discourse	Affected: < 2.8.13 Affected: >= 2.9.0.beta0, < 2.9.0.beta14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T14:24:03.393Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/discourse/discourse/security/advisories/GHSA-rqvq-94h8-p5wv"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/discourse/discourse/commit/84c83e8d4a1907f8a2972f0ab44b6402aa910c3b"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-46150",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:53:32.530966Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:33:56.607Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "discourse",
          "vendor": "discourse",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.8.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.9.0.beta0, \u003c 2.9.0.beta14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Discourse is an open-source discussion platform. Prior to version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches, unauthorized users may learn of the existence of hidden tags and that they have been applied to topics that they have access to. This issue is patched in version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches. As a workaround, use the `disable_email` site setting to disable all emails to non-staff users."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-29T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/discourse/discourse/security/advisories/GHSA-rqvq-94h8-p5wv"
        },
        {
          "url": "https://github.com/discourse/discourse/commit/84c83e8d4a1907f8a2972f0ab44b6402aa910c3b"
        }
      ],
      "source": {
        "advisory": "GHSA-rqvq-94h8-p5wv",
        "discovery": "UNKNOWN"
      },
      "title": "Discourse may allow exposure of hidden tags in the subject of notification emails"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-46150",
    "datePublished": "2022-11-29T00:00:00.000Z",
    "dateReserved": "2022-11-28T00:00:00.000Z",
    "dateUpdated": "2025-04-23T16:33:56.607Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-85324

CVE-2022-46150 (GCVE-0-2022-46150)

Tags

Sightings

Nomenclature