CVE-2022-21684 in Discourseinfo

Zusammenfassung

von MITRE • 14.01.2022

Discourse is an open source discussion platform. Versions prior to 2.7.13 in `stable`, 2.8.0.beta11 in `beta`, and 2.8.0.beta11 in `tests-passed` allow some users to log in to a community before they should be able to do so. A user invited via email to a forum with `must_approve_users` enabled is going to be automatically logged in, bypassing the check that does not allow unapproved users to sign in. They will be able to do everything an approved user can do. If they logout, they cannot log back in. This issue is patched in the `stable` version 2.7.13, `beta` version 2.8.0.beta11, and `tests-passed` version 2.8.0.beta11. One may disable invites as a workaround. Administrators can increase `min_trust_level_to_allow_invite` to reduce the attack surface to more trusted users.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub, Inc.

Reservieren

16.11.2021

Veröffentlichung

14.01.2022

Moderieren

akzeptiert

Eintrag

VDB-190352

CPE

bereit

CWE

CWE-287 (bestätigt)

CVSS

4.3 (CNA)

EPSS

0.00128

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2022-21684
NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-21684
CVE Details	https://www.cvedetails.com/cve/CVE-2022-21684/

◂ Zurück Übersicht Weiter ▸

Do you know our Splunk app?

Download it now for free!