CVE-2022-39385: Discourse Invitation Redemption Vulnerability Leading to Unauthorized Access to Private Message Topics

Discourse is a popular open source discussion platform used by a wide range of communities worldwide. This post describes a recent vulnerability (CVE-2022-39385) discovered in Discourse's invitation redemption process. In rare cases, users redeeming an invitation could gain unauthorized access to private message topics.

We will go through the details of this vulnerability, including code snippets, original references, and exploit details. The Discourse team has already addressed this issue in a recent commit (a414520742) and will include the fix in future releases. Users are advised to upgrade their Discourse instances and set the SiteSetting.max_invites_per_day to  as a temporary precaution until the patch is installed.

Vulnerability Details

When a user redeems an invitation to join a Discourse community, the user can, under certain conditions, be added as a participant to private message topics they should not have access to. This happens transparently in the background, without any notification of the unauthorized access.

The vulnerability occurs in the invitation redemption process, as shown in the following code snippet:

# app/models/invite.rb

def redeem(user:)
  ...
  add_to_private_message_topics(user)
  ...
end

def add_to_private_message_topics(user)
  ...
end

This issue has been resolved in commit a414520742 by adding stricter conditions to the add_to_private_message_topics method. The fix will be included in future releases of Discourse.

Users of Discourse can take the following steps to protect their communities from this vulnerability

1. Upgrade to the latest version of Discourse: The official fix will be included in future releases of the software, so make sure to stay up-to-date with the latest version.

2. Set SiteSetting.max_invites_per_day to : As a temporary precaution, users can disable the invitation feature by setting the max_invites_per_day variable to  in their site settings. This will prevent new invitations from being sent out and stop the potential exploit of the vulnerability.

Original References

For more information about this vulnerability and the related patch, users are encouraged to refer to the following resources:

- Discourse GitHub Repository: https://github.com/discourse/discourse
- Commit a414520742: https://github.com/discourse/discourse/commit/a414520742e2a92c11873e12448b834b532634b

Conclusion

The Discourse team is committed to providing a secure and robust platform for its users. This post sheds light on a recent vulnerability (CVE-2022-39385) that could have allowed unauthorized access to private message topics in some instances. The issue has been addressed with a code patch, and users are advised to upgrade their Discourse instances and disable invitations temporarily as a precaution.

Timeline

Published on: 11/14/2022 21:15:00 UTC
Last modified on: 11/17/2022 20:24:00 UTC