CVE-2022-46168

Source
https://cve.org/CVERecord?id=CVE-2022-46168
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46168.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-46168
Aliases
Published
2023-01-05T17:18:58.143Z
Modified
2026-07-15T02:06:52.732446544Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Group SMTP user emails are exposed in CC email header
Details

Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta15 on the beta and tests-passed branches, recipients of a group SMTP email could see the email addresses of all other users inside the group SMTP topic. Most of the time this is not an issue as they are likely already familiar with one another's email addresses. This issue is patched in versions 2.8.14 and 2.9.0.beta15. The fix is that someone sending emails out via group SMTP to non-staged users masks those emails with blind carbon copy (BCC). Staged users are ones that have likely only interacted with the group via email, and will likely include other people who were CC'd on the original email to the group. As a workaround, disable group SMTP for any groups that have it enabled.

Database specific
{
    "cwe_ids": [
        "CWE-359"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/46xxx/CVE-2022-46168.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "2.9.0.beta0"
                },
                {
                    "fixed": "2.9.0.beta15"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/discourse/discourse

Affected ranges

Type
GIT
Repo
https://github.com/discourse/discourse
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Last affected
Database specific
{
    "cpe": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta10:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta11:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta12:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta13:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta14:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta4:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta5:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta6:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta7:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:2.9.0:beta8:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:3.0.0:beta15:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.8.14"
        },
        {
            "introduced": "2.9.0-beta1"
        },
        {
            "last_affected": "2.9.0-beta1"
        },
        {
            "introduced": "2.9.0-beta10"
        },
        {
            "last_affected": "2.9.0-beta10"
        },
        {
            "introduced": "2.9.0-beta11"
        },
        {
            "last_affected": "2.9.0-beta11"
        },
        {
            "introduced": "2.9.0-beta12"
        },
        {
            "last_affected": "2.9.0-beta12"
        },
        {
            "introduced": "2.9.0-beta13"
        },
        {
            "last_affected": "2.9.0-beta13"
        },
        {
            "introduced": "2.9.0-beta14"
        },
        {
            "last_affected": "2.9.0-beta14"
        },
        {
            "introduced": "2.9.0-beta2"
        },
        {
            "last_affected": "2.9.0-beta2"
        },
        {
            "introduced": "2.9.0-beta3"
        },
        {
            "last_affected": "2.9.0-beta3"
        },
        {
            "introduced": "2.9.0-beta4"
        },
        {
            "last_affected": "2.9.0-beta4"
        },
        {
            "introduced": "2.9.0-beta5"
        },
        {
            "last_affected": "2.9.0-beta5"
        },
        {
            "introduced": "2.9.0-beta6"
        },
        {
            "last_affected": "2.9.0-beta6"
        },
        {
            "introduced": "2.9.0-beta7"
        },
        {
            "last_affected": "2.9.0-beta7"
        },
        {
            "introduced": "2.9.0-beta8"
        },
        {
            "last_affected": "2.9.0-beta8"
        },
        {
            "introduced": "3.0.0-beta15"
        },
        {
            "last_affected": "3.0.0-beta15"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ]
}

Affected versions

2.*
2.9.0-beta1
2.9.0-beta10
2.9.0-beta11
2.9.0-beta12
2.9.0-beta13
2.9.0-beta14
2.9.0-beta2
2.9.0-beta3
2.9.0-beta4
2.9.0-beta5
2.9.0-beta6
2.9.0-beta7
2.9.0-beta8
3.*
3.0.0-beta15
v0.*
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
v0.9.0
v0.9.1
v0.9.2
v0.9.2.5
v0.9.2.6
v0.9.3
v0.9.4
v0.9.5
v0.9.5.1
v0.9.5.2
v0.9.6
v0.9.6.1
v0.9.6.3
v0.9.6.4
v0.9.7
v0.9.7.1
v0.9.7.2
v0.9.7.3
v0.9.7.4
v0.9.7.5
v0.9.7.6
v0.9.7.7
v0.9.7.8
v0.9.7.9
v0.9.8
v0.9.8.1
v0.9.8.10
v0.9.8.11
v0.9.8.2
v0.9.8.3
v0.9.8.4
v0.9.8.5
v0.9.8.6
v0.9.8.7
v0.9.8.8
v0.9.8.9
v0.9.9.1
v0.9.9.10
v0.9.9.11
v0.9.9.12
v0.9.9.13
v0.9.9.14
v0.9.9.15
v0.9.9.16
v0.9.9.17
v0.9.9.18
v0.9.9.2
v0.9.9.3
v0.9.9.4
v0.9.9.5
v0.9.9.6
v0.9.9.7
v0.9.9.8
v0.9.9.9
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.6.10
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.0
v1.7.1
v1.7.10
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.8.0
v1.8.1
v1.8.10
v1.8.11
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.3.0
v2.3.1
v2.3.10
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.7.0
v2.7.1
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v2.9.0.beta1
v2.9.0.beta10
v2.9.0.beta11
v2.9.0.beta12
v2.9.0.beta13
v2.9.0.beta14
v2.9.0.beta2
v2.9.0.beta3
v2.9.0.beta4
v2.9.0.beta5
v2.9.0.beta6
v2.9.0.beta7
v2.9.0.beta8
v2.9.0.beta9
v3.*
v3.0.0.beta15

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46168.json"