CVE-2022-39356 - Discourse Invitation Vulnerability: Unauthorized Access to Non-admin Accounts
CVE-2022-39356 is a security vulnerability discovered in the popular community discussion platform Discourse. The vulnerability affects the platform's invitation system, allowing unauthorized users to gain access to non-admin accounts. The crucial part of the issue lies in the invitation links that are not scoped to a specific email address. In this article, we will dive deep into the vulnerability, examine the code snippets, provide links to original references, and discuss the exploit details. It is highly recommended for all Discourse users to upgrade to the latest version to mitigate this vulnerability. There is also a workaround that involves temporarily disabling the invitation functionality or scoping invitations to individual email addresses.
Code Snippet
The root cause of the vulnerability is that the invitation links generated by Discourse are not scoped to a single email address. When a user receives an invitation link, they can change the email address associated with the invitation and gain access to any non-admin account. Here is a sample code snippet of the invitation link generation process, which is vulnerable to this issue:
def create_invite_link(inviter, email = nil, options = {})
...
if email
invite = Invite.create!(email: email, ... )
else
invite = Invite.create!(... )
end
...
end
In the above code snippet, the create_invite_link method creates an invitation link. When the email parameter is not provided, the system generates a generic invitation link that is not scoped to any specific email address. This link can be exploited by an attacker to gain access to a non-admin user's account.
An attacker receives a generic invitation link that is not scope to any specific email.
2. The attacker changes the email address associated with the invitation link to that of a non-admin user.
3. The attacker accepts the invitation. As a result, the attacker gains access to the non-admin user's account.
Original References
1. Discourse Security Advisory - https://meta.discourse.org/t/security-advisory-invitations-bypass-email-identity-verification/224131
2. CVE Details - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39356
3. National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2022-39356
Mitigation and Workarounds
To protect against this vulnerability, all Discourse users should upgrade their instance to the latest version as soon as possible. The Discourse team has already released a patch addressing this issue. Upgrading your Discourse instance will ensure that invitation links are properly scoped to specific email addresses.
If you are unable to upgrade your instance immediately, you can use one of the following workarounds to mitigate the risk:
1. Temporarily disable the invitation functionality on your Discourse instance by setting the SiteSetting.max_invites_per_day to . This can be done using the following code snippet:
SiteSetting.max_invites_per_day =
2. Make sure to scope invitation links to individual email addresses whenever possible. By doing so, you are making it harder for an attacker to exploit this vulnerability.
Conclusion
CVE-2022-39356 is a severe security vulnerability in the Discourse platform that allows unauthorized users to gain access to non-admin accounts. It is crucial for Discourse users to upgrade their instances to the latest version or apply the workarounds discussed earlier to prevent potential exploitation. By staying informed and proactive in patching security vulnerabilities, you can help ensure the safety and privacy of your community's discussions.
Timeline
Published on: 11/02/2022 17:15:00 UTC
Last modified on: 11/04/2022 15:00:00 UTC