Vulnerability Description
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Assign | < 1.0.1 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse-assign/pull/320Issue TrackingPatchThird Party Advisory
- https://github.com/discourse/discourse-assign/security/advisories/GHSA-9xhf-wvjxThird Party Advisory
- https://github.com/discourse/discourse-assign/pull/320Issue TrackingPatchThird Party Advisory
- https://github.com/discourse/discourse-assign/security/advisories/GHSA-9xhf-wvjxThird Party Advisory
FAQ
What is CVE-2022-24866?
CVE-2022-24866 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object...
How severe is CVE-2022-24866?
CVE-2022-24866 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24866?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Assign.