CVE-2022-36045 NodeBB Forum Software is powered by Node.js and supports Redis, MongoDB, or PostgreSQL. It uses web sockets for instant interactions and notifications.

All users are encouraged to upgrade as soon as possible. As a precaution, users who have set their password to something other than the e-mail address associated with their account are advised to change the password. The password reset functionality has been patched in version 2.x and 1.19.x. Users who have enabled the password generator, or enabled password change via the password generator, are advised to deactivate the password generator, or change the password via the password generator themselves, to prevent any possible issues related to password cracking. NodeBB supports a variety of data storage options, such as Redis, MongoDB, or PostgreSQL. There is no need to change any of these options, but if you have enabled the password generator and changed the password via the password generator, you are encouraged to change the storage method to a more secure storage method as soon an upgrade to NodeBB is done. The password generator has also been patched in version 2.x and 1.19.x. Users can upgrade to a patched version by following the instructions on the support page. NodeBB features a set of extensive notification options for emails, Slack, PagerDuty, SMS, and other messaging systems. There is no need to change any of these options, but if you have enabled the password generator and changed the password via the password generator, you are encouraged to change the notification method to a more secure notification method as soon an upgrade to NodeBB is done

NodeBB Team's Response

NodeBB team members have been notified of the issue, and are working with users to provide the best possible service.

NodeBB 2.x and 1.19 password management and recovery

NodeBB v2.x and 1.19 offers a password recovery functionality for users who have set their password to something other than their e-mail address. The password reset functionality has been patched in version 2.x and 1.19.x, as well as the password generator that is enabled by default in NodeBB v1.x
These vulnerabilities were discovered by @_qaz_qaz_qaz on GitHub, and have since been reported to the NodeBB team by following the security disclosure process described in our security policy (http://www.nodbbbforum.com/security-policy/)

NodeBB version ##

NodeBB is being updated to version 2.x and 1.19.x, and the password generator has been patched in both versions.
NodeBB users are encouraged to change their password as soon as they can in order to avoid any possible issues related to password cracking and the password generator.
Users are also encouraged to change the notification method (from email, Slack, PagerDuty, SMS, etc.) for their account after an upgrade to NodeBB v2.x or 1.19.x has been done.

NodeBB 2.x and 1.19.x

NodeBB v2.x and NodeBB v1.19.x include a patch which fixes the vulnerability CVE-2022-36045, which allows an attacker to hijack your account without your knowledge or consent by sending you a URL with special characters in it, such as %3A, %2C and %7E. This vulnerability was found by @mzmc on May 9th and has been patched in NodeBB v2.x and NodeBB v1.19.x after further testing showed the vulnerability is exploitable only when the password generator is enabled and people have changed their password via the password generator (v1.16 or higher).

Timeline

Published on: 08/31/2022 15:15:00 UTC
Last modified on: 09/06/2022 18:09:00 UTC

References

• https://github.com/NodeBB/NodeBB/commit/81e3c1ba488d03371a5ce8d0ebb5c5803026e0f9
• https://github.com/NodeBB/NodeBB/security/advisories/GHSA-p4cc-w597-6cpm
• https://github.com/NodeBB/NodeBB/commit/e802fab87f94a13f397f04cfe6068f2f7ddf7888
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36045