CVE-2022-31025

Summary

Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the stable branch and 2.9.0beta5 on the beta and tests-passed branches, inviting users on sites that use single sign-on could bypass the must_approve_users check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the stable branch and version 2.9.0.beta5 on the beta and tests-passed branches. As a workaround, disable invites or increase min_trust_level_to_allow_invite to reduce the attack surface to more trusted users.

Affected Software

VendorProductVersion RangeStatus
discoursediscourse< 2.8.4affected
discoursediscourse>= 2.9.0.beta1, <= 2.9.0.beta4affected

Weaknesses

  • CWE-285: CWE-285: Improper Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References