CVE-2021-41082

Published: Sep 20, 2021

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made. Users are encouraged to upgrade to the latest commit if they are running Discourse against the `tests-passed` branch.

Vendor	Product	Versions
discourse	discourse	affected `>= tests-passed = ddb4583, < tests-passed = 27bad28`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv

x_refsource_CONFIRM

https://github.com/discourse/discourse/commit/27bad28c530c89acab35a56b945b6a3924280f4b

x_refsource_MISC

https://github.com/discourse/discourse/commit/ddb458343dc39a7a8c99467dcd809b444514fe2c

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-41082

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References