1. Home
  2. CVE Database
  3. CVE-2022-31025
LOW · 2.6

CVE-2022-31025

Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use ...

Vulnerability Description

Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use single sign-on could bypass the `must_approve_users` check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the `stable` branch and version `2.9.0.beta5` on the `beta` and `tests-passed` branches. As a workaround, disable invites or increase `min_trust_level_to_allow_invite` to reduce the attack surface to more trusted users.

CVSS Score

2.6

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
DiscourseDiscourse< 2.8.4

Related Weaknesses (CWE)

CWE-285

References

FAQ

What is CVE-2022-31025?

CVE-2022-31025 is a vulnerability with a CVSS score of 2.6 (LOW). Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the `stable` branch and 2.9.0beta5 on the `beta` and `tests-passed` branches, inviting users on sites that use ...

How severe is CVE-2022-31025?

CVE-2022-31025 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-31025?

Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.