CVE-2023-45131 - Discourse Unauthenticated Chat Message Leaks via MessageBus

!! Attention community admins and users !! A recently discovered vulnerability identified as CVE-2023-45131 has been affecting the security of Discourse platforms. Discourse is an open-source platform designed for community discussions and is widely used across numerous platforms. Before we dive into the details of the vulnerability, rest assured that Discourse developers have already prepared a patch and it's highly recommended that you upgrade immediately.

Here's what you need to know about the issue, how it affects your platform, and how to upgrade to the patched version.

The vulnerability details

The vulnerability lies in the fact that an unauthenticated user can make a POST request to the MessageBus component of the Discourse platform to read new chat messages. In other words, this security flaw can allow unauthorized parties to access private discussions and monitor community chat conversations that can have serious privacy implications.

Although there have been no known cases of this vulnerability being exploited in the wild, it's important to patch this issue immediately to protect your community's privacy.

Affected versions

The affected versions of Discourse platforms are those up to 3.1..stable and 3.2..beta1. The patched versions, which fix this vulnerability, are Discourse 3.1.1 stable and 3.2..beta2.

To demonstrate how the vulnerability works, here's a quick code snippet

fetch("/message-bus/12345/poll", {
  method: "POST",
  headers: {
    "Content-Type": "application/x-www-form-urlencoded",
  },
  body: "dlp=t",
})
  .then((response) => response.json())
  .then((data) => console.log(data));

This sample code represents a simple POST request to the MessageBus that is sent without any authentication. The response, in turn, contains the new chat messages that could be accessed by an unauthenticated user.

Please note that this code snippet is for educational purposes only and should not be utilized to exploit the vulnerability.

Patch and upgrade information

To deal with this vulnerability, the Discourse team has released patches for both affected versions, as follows:

Discourse 3.2..beta2

Please access the official Discourse release notes and GitHub pages for more information and follow the steps to upgrade your platform:

- Discourse 3.1.1 stable release notes
- Discourse 3.2..beta2 release notes

In conclusion, all Discourse users are advised to upgrade to the mentioned patched versions to mitigate this security vulnerability. By doing so, you're protecting your platform, your community, and the privacy of your users. Don't hesitate to reach out to the Discourse development team for further support if needed.

Timeline

Published on: 10/16/2023 22:15:12 UTC
Last modified on: 10/19/2023 17:55:24 UTC