CVE-2022-24866
Last modified
CVE-2022-24866 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. EPSS estimates a 0.61% chance of exploitation in the next 30 days.
Description
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Assign | < 1.0.1 |
References
- https://github.com/discourse/discourse-assign/pull/320Issue Tracking, Patch, Third Party Advisory
- https://github.com/discourse/discourse-assign/pull/320Issue Tracking, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-24866?
How severe is CVE-2022-24866?
How do I fix CVE-2022-24866?
Are you affected by CVE-2022-24866?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST