BIT-discourse-2022-21677

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2022-21677.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-discourse-2022-21677

Aliases

CVE-2022-21677
GHSA-768r-ppv4-5r27

Published

2024-03-06T11:08:07.875Z

Modified

2025-11-06T13:25:46.476Z

Summary

Group advanced search option may leak group and group's members visibility

Details

Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group's members visibility set to public as well. However, a group's visibility and the group's members visibility can be configured such that it is restricted to logged on users, members of the group or staff users. A vulnerability has been discovered in versions prior to 2.7.13 and 2.8.0.beta11 where the group advanced search option does not respect the group's visibility and members visibility level. As such, a group with restricted visibility or members visibility can be revealed through search with the right search option. This issue is patched in stable version 2.7.13, beta version 2.8.0.beta11, and tests-passed version 2.8.0.beta11 versions of Discourse. There are no workarounds aside from upgrading.

Database specific

{
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.8.0:beta10:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.8.0:beta1:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.8.0:beta2:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.8.0:beta3:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.8.0:beta4:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.8.0:beta5:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.8.0:beta6:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.8.0:beta7:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.8.0:beta8:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.8.0:beta9:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / discourse

Package

Name: discourse
Purl: pkg:bitnami/discourse

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.7.12