Discourse up to 3.0.3/3.1.0.beta4 permission assignment
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.1 | $0-$5k | 0.00 |
Summary
A vulnerability classified as problematic has been found in Discourse up to 3.0.3/3.1.0.beta4. Impacted is an unknown function. Performing a manipulation results in permission assignment. This vulnerability is cataloged as CVE-2023-31142. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
Details
A vulnerability classified as problematic has been found in Discourse up to 3.0.3/3.1.0.beta4. This affects some unknown processing. The manipulation with an unknown input leads to a permission assignment vulnerability. CWE is classifying the issue as CWE-732. The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. This is going to have an impact on confidentiality. The summary by CVE is:
Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, if a site has modified their general category permissions, they could be set back to the default. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. A workaround, only if you are modifying the general category permissions, is to use a new category for the same purpose.
The weakness was shared 06/14/2023 as GHSA-286w-97m2-78x2. The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2023-31142 since 04/24/2023. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available.
Upgrading to version 3.0.4 or 3.1.0.beta5 eliminates this vulnerability.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Name
Version
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 3.1VulDB Meta Temp Score: 3.1
VulDB Base Score: 2.0
VulDB Temp Score: 1.9
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.3
NVD Vector: 🔍
CNA Base Score: 2.0
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Permission assignmentCWE: CWE-732 / CWE-275 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Discourse 3.0.4/3.1.0.beta5
Timeline
04/24/2023 🔍06/14/2023 🔍
06/14/2023 🔍
07/13/2023 🔍
Sources
Product: github.comAdvisory: GHSA-286w-97m2-78x2
Status: Confirmed
CVE: CVE-2023-31142 (🔍)
GCVE (CVE): GCVE-0-2023-31142
GCVE (VulDB): GCVE-100-231489
Entry
Created: 06/14/2023 06:02Updated: 07/13/2023 08:33
Changes: 06/14/2023 06:02 (48), 07/13/2023 08:33 (11)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.