CVE-2022-39378 - Discourse Information Exposure via User Badges in Topics with Restricted Access

Discourse is a popular open-source platform for creating modern and engaging community forums. Recently, a security vulnerability (CVE-2022-39378) was discovered in Discourse, which could potentially lead to exposure of sensitive information in certain scenarios. In this post, we'll discuss the vulnerability in detail, demonstrate an example using code snippets, and provide information on how to address the issue and protect your Discourse forum.

Overview of CVE-2022-39378

CVE-2022-39378 is an information exposure vulnerability that affects certain versions of Discourse. Under specific conditions, a user badge may be awarded based on a user's activity in a topic with restricted access. However, before this vulnerability was fixed, the title of the associated topic might be visible to any user, which could lead to the unintentional disclosure of sensitive information in the topic title.

This issue has been patched in the latest stable, beta, and tests-passed versions of Discourse, and there are no known workarounds available at the moment.

Details of the Vulnerability

To illustrate the issue, let's take a look at the relevant Discourse source code responsible for handling user badges:

# app/models/user_badge.rb
def self.maybe_grant_badge(badge, user, opts = {})
  ...
  if topic_id = opts.delete(:topic_id)
      return if Topic.where(id: topic_id, visible: true).pluck('id').empty?
  ...
  # Check if a badge should be granted
  ...
end

In the code snippet above, the maybe_grant_badge method checks if a given user should be awarded a badge based on certain conditions. If the topic associated with the badge has restricted access, the function should not grant the badge. However, due to the vulnerability, the topic title could still be visible to other users.

Exploit Scenario

Suppose a forum administrator creates a restricted-access topic (e.g., only visible to staff members) with a sensitive title, such as "Upcoming Layoffs Discussion." Now, if a user with access to this topic receives a badge based on their activity in this topic, the title of this topic, including the sensitive information, would be exposed to any user viewing the list of user badges.

As mentioned earlier, this vulnerability has been fixed in the latest versions of Discourse.

Mitigation Steps

To protect your Discourse forum from this vulnerability, it's highly recommended that you update to the latest version:

- For those on the stable branch, update to the latest stable version: Discourse Stable Release
- For those on the beta branch, update to the latest beta version: Discourse Beta Release
- For those on the tests-passed branch, update to the latest tests-passed version: Discourse Tests-Passed Release

Updating your Discourse forum to one of these versions will ensure that the CVE-2022-39378 vulnerability is patched, and that your forum's topic titles are not inadvertently exposed through user badges.

Conclusion

CVE-2022-39378 is a critical information exposure vulnerability that could potentially lead to the unintended disclosure of sensitive information in your Discourse forum. To mitigate this vulnerability, update your Discourse forum to the latest stable, beta, or tests-passed release. This will protect your forum from this vulnerability and help maintain the privacy and security of your community.

Timeline

Published on: 11/02/2022 17:15:00 UTC
Last modified on: 11/04/2022 14:21:00 UTC