CVE-2022-39385
Published: 14 November 2022
Summary
CVE-2022-39385 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Discourse Discourse. Its CVSS base score is 6.5 (Medium).
Operationally, ranked at the 49.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-41841
Vulnerability details
Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this,…
more
it happens transparently in the background. This issue has been resolved in commit `a414520742` and will be included in future releases. Users are advised to upgrade. Users are also advised to set `SiteSetting.max_invites_per_day` to 0 until the patch is installed.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
Ensures authorization decisions for external system use are correctly implemented and enforced.
It assists users in evaluating and applying correct authorization decisions when sharing information with external partners.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Drives review and correction of flawed authorization logic applied to organizational data.
Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.
Restricts processing strictly to documented authorized uses, mitigating incorrect authorization decisions for sensitive data.
Addresses incorrect authorization by requiring independent verification of results and an opportunity to contest before any adverse action is taken.