CVE-2022-39385

CVSS V2 None CVSS V3 Medium 6.5
Description
Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been resolved in commit `a414520742` and will be included in future releases. Users are advised to upgrade. Users are also advised to set `SiteSetting.max_invites_per_day` to 0 until the patch is installed.
Overview
  • CVE ID
  • CVE-2022-39385
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-11-14T21:15:15
  • Last Modified Date
  • 2022-11-17T20:24:56
Weakness Enumerations
CWE URL
CWE-863 http://cwe.mitre.org/data/definitions/863.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:* 1 OR 2.8.10
cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:discourse:discourse:2.9.0:beta10:*:*:*:*:*:* 1 OR
cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:* 1 OR
cpe:2.3:a:discourse:discourse:2.9.0:beta4:*:*:*:*:*:* 1 OR
cpe:2.3:a:discourse:discourse:2.9.0:beta5:*:*:*:*:*:* 1 OR
cpe:2.3:a:discourse:discourse:2.9.0:beta6:*:*:*:*:*:* 1 OR
cpe:2.3:a:discourse:discourse:2.9.0:beta7:*:*:*:*:*:* 1 OR
cpe:2.3:a:discourse:discourse:2.9.0:beta8:*:*:*:*:*:* 1 OR
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • LOW
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • NONE
  • Base Score
  • 6.5
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 2.8
  • Impact Score
  • 3.6
References
Reference URL Reference Tags
https://github.com/discourse/discourse/security/advisories/GHSA-gh5r-j595-qx48
https://github.com/discourse/discourse/commit/a414520742da8dc9dc976d4fb7b72dbd445813bb
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-39385
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39385
History
Created Old Value New Value Data Type Notes
2022-11-14 22:00:22 Added to TrackCVE
2022-12-07 17:42:37 2022-11-14T21:15Z 2022-11-14T21:15:15 CVE Published Date updated
2022-12-07 17:42:37 2022-11-17T20:24:56 CVE Modified Date updated
2022-12-07 17:42:37 Analyzed Vulnerability Status updated
2022-12-07 17:42:38 CPE Information updated