Discourse, a popular open-source discussion platform, has recently disclosed a vulnerability under the code name CVE-2022-41944. This security flaw causes unauthorized users to see notifications for topics they no longer have access to, potentially exposing sensitive information included in topic titles. Users running older versions of Discourse should consider upgrading to patch this security issue. This article aims to provide a comprehensive understanding of the CVE-2022-41944 vulnerability, along with details regarding patches, code snippets, and links to original references for further reading.
Exploit Details
The CVE-2022-41944 vulnerability affects stable versions of Discourse prior to 2.8.12 and beta or tests-passed versions prior to 2.9..beta.13. The security issue arises when a user is granted access to a restricted topic containing sensitive information in the title. When the user's access is revoked, they should no longer receive notifications about that topic. However, under certain circumstances, users can continue to receive notifications for these restricted topics, leading to unauthorized exposure of sensitive information.
Code Snippet
Here's a simplified example of what happens when notifications are mistakenly sent to users that no longer have access to a topic:
# In this example, @user1 initially has access to a restricted topic
restricted_topic = Topic.create(title: 'Sensitive Data', user: @moderator, access_limited: true)
AccessGrant.create(user: @user1, topic: restricted_topic)
# @user1 receives notifications for the restricted topic as expected
Notification.create(user: @user1, topic: restricted_topic)
# Later, @user1's access to the restricted topic is revoked
AccessRevocation.create(user: @user1, topic: restricted_topic)
# Due to the vulnerability, @user1 may still receive notifications for the restricted_topic, even though they no longer have access to it
Notification.create(user: @user1, topic: restricted_topic) # This should not happen!
Patches
Discourse developers have addressed this vulnerability in stable version 2.8.12, beta version 2.9..beta13, and tests-passed version 2.9..beta13. Users should update to these patched versions to resolve the security issue. No workarounds are available for earlier versions.
Links to Original References
To learn more about this vulnerability and its patches, please consult the following official sources related to CVE-2022-41944:
1. Discourse Stable Release Announcement: https://meta.discourse.org/t/discourse-2-8-12-stable-release-notes/232283
2. Discourse Beta Release Announcement: https://meta.discourse.org/t/discourse-2-9--beta13-release-notes/232284
3. Discourse GitHub Repository: https://github.com/discourse/discourse
4. CVE-2022-41944 on NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-41944
Conclusion
The CVE-2022-41944 vulnerability in Discourse has the potential to expose sensitive information through topic notifications sent to users who are no longer authorized to access certain topics. To avoid the risk of unauthorized data exposure, it is highly recommended for administrators to update their stable version to 2.8.12, their beta version to 2.9..beta13, or their tests-passed version to 2.9..beta13. Regularly keeping your Discourse instance updated and monitoring the latest security patches will help you maintain a secure environment for your users.
Timeline
Published on: 11/28/2022 15:15:00 UTC
Last modified on: 12/01/2022 20:28:00 UTC