CVE-2023-23935 in Discourse
Summary
by MITRE • 03/16/2023
Discourse is an open-source messaging platform. In versions 3.0.1 and prior on the `stable` branch and versions 3.1.0.beta2 and prior on the `beta` and `tests-passed` branches, the count of personal messages displayed for a tag is a count of all personal messages regardless of whether the personal message is visible to a given user. As a result, any users can technically poll a sensitive tag to determine if a new personal message is created even if the user does not have access to the personal message. In the patched versions, the count of personal messages tagged with a given tag is hidden by default. To revert to the old behaviour of displaying the count of personal messages for a given tag, an admin may enable the `display_personal_messages_tag_counts` site setting.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2023
This vulnerability affects Discourse, an open-source messaging platform, where the system fails to properly enforce access controls when calculating and displaying personal message counts for specific tags. The flaw exists in versions 3.0.1 and earlier on the stable branch, as well as versions 3.1.0.beta2 and earlier on the beta and tests-passed branches. The core technical issue stems from improper authorization checks during the tag counting process, where the system returns aggregate counts of all personal messages associated with a tag regardless of individual user permissions. This represents a violation of the principle of least privilege and information disclosure, as users can indirectly access sensitive information about message creation through enumeration techniques.
The operational impact of this vulnerability allows any authenticated user to perform information gathering attacks by polling specific tags to determine when new personal messages are created, even if they lack direct access to those messages. This creates a reconnaissance vector that can be exploited by malicious actors to map the communication patterns and activity levels within the platform. The vulnerability directly relates to CWE-200, Information Exposure, and CWE-668, Provision of Unnecessarily Broad Access, as it exposes more information than intended through the tag counting mechanism. Attackers can leverage this to perform passive reconnaissance, potentially identifying high-value targets or sensitive communication patterns without direct access to the content.
The security implications extend beyond simple information disclosure, as this vulnerability enables indirect access control bypass through enumeration attacks. The patched implementation addresses this by default hiding personal message tag counts, requiring explicit administrative configuration to restore the previous behavior. This change aligns with the principle of defense in depth, where the default configuration should minimize information exposure. Organizations using Discourse should immediately upgrade to patched versions and carefully review the `display_personal_messages_tag_counts` site setting to ensure it is only enabled when absolutely necessary for legitimate business requirements. The vulnerability demonstrates the importance of proper access control implementation in web applications and highlights the need for thorough testing of permission models, particularly in systems handling sensitive communication data.
The mitigation strategy involves implementing proper access control checks during tag counting operations, ensuring that only users with appropriate permissions can view message counts for tags they have access to. This follows ATT&CK technique T1083, File and Directory Discovery, where attackers attempt to gather information about the system's structure. Security teams should also implement monitoring for unusual polling patterns or enumeration attempts targeting tag counting endpoints. The vulnerability underscores the importance of regular security audits and the need for comprehensive testing of access control mechanisms in multi-user collaborative platforms. Organizations should also consider implementing rate limiting on tag counting queries to prevent automated enumeration attacks and ensure that all user interactions with tagging systems properly validate permissions before returning any data.