CVE-2022-31060

Summary

Discourse is an open-source discussion platform. Prior to version 2.8.4 in the stable branch and version 2.9.0.beta5 in the beta and tests-passed branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the stable branch and version 2.9.0.beta5 in the beta and tests-passed branches of Discourse. As a workaround, one may disable banners.

Affected Software

VendorProductVersion RangeStatus
discoursediscoursestable < 2.8.4affected
discoursediscoursebeta <= 2.9.0.beta4affected
discoursediscoursetests-passed <= 2.9.0.beta4affected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References