CVE-2021-41082

20.09.2021, 21:15

Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made. Users are encouraged to upgrade to the latest commit if they are running Discourse against the `tests-passed` branch.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 73%

Vendor	Product	Version
discourse	discourse	𝑥 < 2021-09-14

𝑥

= Vulnerable software versions

Common Weakness Enumeration

References

https://github.com/discourse/discourse/commit/27bad28c530c89acab35a56b945b6a3924280f4b

https://github.com/discourse/discourse/commit/ddb458343dc39a7a8c99467dcd809b444514fe2c

https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv

https://github.com/discourse/discourse/commit/27bad28c530c89acab35a56b945b6a3924280f4b

https://github.com/discourse/discourse/commit/ddb458343dc39a7a8c99467dcd809b444514fe2c

https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv