CVE-2022-39355 - Discourse Patreon Plugin Improper Authentication Vulnerability

Discourse Patreon is a plugin designed to enable synchronization between Discourse Groups and Patreon rewards on forum websites. This helps site owners to provide exclusive content and forum access to their Patreon supporters. However, an improper authentication vulnerability has recently been discovered, which could potentially allow an attacker to take control of a victim's forum account. In this post, we will discuss the details of this vulnerability, the patch that has been released to remedy it, and the mitigation steps one can take to prevent exploitation.

Vulnerability Details

This vulnerability impacts sites with Patreon login enabled and occurs because the plugin does not adequately verify the email addresses associated with Patreon accounts. Due to this oversight, an attacker could potentially log into a Discourse forum account using an unverified email address. Once the attacker gains access, they can manipulate the account as they please.

The vulnerability has been assigned the CVE identifier CVE-2022-39355, and the patch for this vulnerability is available in commit number 846d012151514b35ce42a1636c7d70f6dcee879e of the discourse-patreon plugin on GitHub. The plugin's developers have addressed the authentication issue and have implemented email verification as an additional requirement for accessing the forum.

Here's a snippet of the updated code included in the patch

def log_on_user(user)
  if user.email_verified
    log_on(user)
  else
    logout
    flash[:error] = I18n.t("email_verification_required")
    redirect_to path("/")
  end
end

With this update, users with unverified email addresses will be logged out and required to verify their email before logging back in.

Original References

- CVE-2022-39355: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39355
- Discourse Patreon Plugin GitHub Repository: https://github.com/discourse/discourse-patreon
- Patch Commit: https://github.com/discourse/discourse-patreon/commit/846d012151514b35ce42a1636c7d70f6dcee879e

Mitigation Steps

As a Discourse forum owner or administrator, we recommend updating the discourse-patreon plugin to the latest version, which includes the patch, to protect user accounts from exploitation. In addition, it is essential to log out any existing users who have logged in with unverified email addresses and ask them to verify their email before they can log back in.

As a temporary workaround, you can disable the Patreon integration within your Discourse forum and log out all users who have associated Patreon accounts. This will prevent attackers from exploiting the vulnerability until a more permanent solution is implemented.

To disable the Patreon integration, navigate to the Discourse admin settings and uncheck the "enable_patron_sync" option. You can also run a script to log out all users with associated Patreon accounts, like the following:

User.joins(:patreon_tokens).find_each do |user|
  user.log_out_all
end

Conclusion

The improper authentication vulnerability in the Discourse Patreon plugin (CVE-2022-39355) poses a risk to user accounts on forums with Patreon login enabled. Applying the patch in commit 846d012151514b35ce42a1636c7d70f6dcee879e and taking the recommended steps to mitigate the vulnerability will help protect your forum and users from potential exploitation. Always remember to keep software and plugins updated to ensure the security and stability of your online platforms.

Timeline

Published on: 10/26/2022 20:15:00 UTC
Last modified on: 10/28/2022 19:39:00 UTC