CVE-2022-21642

Discourse is an open source platform for community discussion. In affected versions when composing a message from topic the composer user suggestions reveals whisper participants. The issue has been patched in stable version 2.7.13 and beta version 2.8.0.beta11. There is no workaround for this issue and users are advised to upgrade.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/discourse/discourse/commit/702685b6a06ae45a544fc702027f1e4573d94aaa	Patch Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-mx3h-vc7w-r9c6	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta1::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta10::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta2::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta3::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta4::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta5::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta6::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta7::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta8::::::
	cpe:2.3:a:discourse:discourse:2.8.0:beta9::::::

History

12 Jan 2022, 20:17

Type	Values Removed	Values Added
References	~~(CONFIRM) https://github.com/discourse/discourse/security/advisories/GHSA-mx3h-vc7w-r9c6 -~~	(CONFIRM) https://github.com/discourse/discourse/security/advisories/GHSA-mx3h-vc7w-r9c6 - Patch, Third Party Advisory
References	~~(MISC) https://github.com/discourse/discourse/commit/702685b6a06ae45a544fc702027f1e4573d94aaa -~~	(MISC) https://github.com/discourse/discourse/commit/702685b6a06ae45a544fc702027f1e4573d94aaa - Patch, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.0 v3 : 4.3
CPE		cpe:2.3:a:discourse:discourse:2.8.0:beta1:::::: cpe:2.3:a:discourse:discourse:2.8.0:beta2:::::: cpe:2.3:a:discourse:discourse:2.8.0:beta7:::::: cpe:2.3:a:discourse:discourse:2.8.0:beta9:::::: cpe:2.3:a:discourse:discourse:2.8.0:beta4:::::: cpe:2.3:a:discourse:discourse:2.8.0:beta6:::::: cpe:2.3:a:discourse:discourse:2.8.0:beta8:::::: cpe:2.3:a:discourse:discourse:2.8.0:beta10:::::: cpe:2.3:a:discourse:discourse:2.8.0:beta5:::::: cpe:2.3:a:discourse:discourse:::::::: cpe:2.3:a:discourse:discourse:2.8.0:beta3::::::
CWE		CWE-200
First Time		Discourse Discourse discourse

05 Jan 2022, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-01-05 19:15

Updated : 2023-12-10 14:09

NVD link : CVE-2022-21642

Mitre link : CVE-2022-21642

CVE.ORG link : CVE-2022-21642

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

4.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2022-21642

4.3^/10

4.0^/10

Attach tags to `CVE-2022-21642`