CVE-2022-46168

EPSS 0.26%
Veröffentlicht 05.01.2023 18:15:08
Zuletzt bearbeitet 21.11.2024 07:30:14
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta15 on the `beta` and `tests-passed` branches, recipients of a group SMTP email could see the email addresses of all other users inside the group SMTP topic. Most of the time this is not an issue as they are likely already familiar with one another's email addresses. This issue is patched in versions 2.8.14 and 2.9.0.beta15. The fix is that someone sending emails out via group SMTP to non-staged users masks those emails with blind carbon copy (BCC). Staged users are ones that have likely only interacted with the group via email, and will likely include other people who were CC'd on the original email to the group. As a workaround, disable group SMTP for any groups that have it enabled.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Discourse ≫ Discourse Version < 2.8.14

Discourse ≫ Discourse Version2.9.0 Updatebeta1

Discourse ≫ Discourse Version2.9.0 Updatebeta10

Discourse ≫ Discourse Version2.9.0 Updatebeta11

Discourse ≫ Discourse Version2.9.0 Updatebeta12

Discourse ≫ Discourse Version2.9.0 Updatebeta13

Discourse ≫ Discourse Version2.9.0 Updatebeta14

Discourse ≫ Discourse Version2.9.0 Updatebeta2

Discourse ≫ Discourse Version2.9.0 Updatebeta3

Discourse ≫ Discourse Version2.9.0 Updatebeta4

Discourse ≫ Discourse Version2.9.0 Updatebeta5

Discourse ≫ Discourse Version2.9.0 Updatebeta6

Discourse ≫ Discourse Version2.9.0 Updatebeta7

Discourse ≫ Discourse Version2.9.0 Updatebeta8

Discourse ≫ Discourse Version3.0.0 Updatebeta15

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.26%	0.494

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
security-advisories@github.com	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

https://github.com/discourse/discourse/pull/19724

Patch

Third Party Advisory

https://github.com/discourse/discourse/security/advisories/GHSA-8p7g-3wm6-p3rm

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-46168

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-46168

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-46168

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-46168