cve-2023-45147
Vulnerability from cvelistv5
Published
2023-10-16 20:26
Modified
2024-09-13 19:00
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Summary
Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discourse installation with the default plugins, this vulnerability has no impact. The problem has been patched in the latest version of Discourse. Users are advised to update to version 3.1.1 if they are on the stable branch or 3.2.0.beta2 if they are on the beta branch. Users unable to upgrade should disable any plugins that access topic custom fields.
References
security-advisories@github.comhttps://github.com/discourse/discourse/security/advisories/GHSA-wm89-m359-f9qvVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/discourse/discourse/security/advisories/GHSA-wm89-m359-f9qvVendor Advisory
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:14:19.800Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/discourse/discourse/security/advisories/GHSA-wm89-m359-f9qv",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/discourse/discourse/security/advisories/GHSA-wm89-m359-f9qv"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-45147",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-13T18:58:49.242575Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-13T19:00:16.296Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "discourse",
          "vendor": "discourse",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c=  3.1.1"
            },
            {
              "status": "affected",
              "version": "beta: \u003c= 3.2.0.beta2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discourse installation with the default plugins, this vulnerability has no impact. The problem has been patched in the latest version of Discourse. Users are advised to update to version 3.1.1 if they are on the stable branch or 3.2.0.beta2 if they are on the beta branch. Users unable to upgrade should disable any plugins that access topic custom fields."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-16T20:26:25.200Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/discourse/discourse/security/advisories/GHSA-wm89-m359-f9qv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/discourse/discourse/security/advisories/GHSA-wm89-m359-f9qv"
        }
      ],
      "source": {
        "advisory": "GHSA-wm89-m359-f9qv",
        "discovery": "UNKNOWN"
      },
      "title": "Arbitrary keys can be added to a topic\u0027s custom fields by any user in Discourse"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-45147",
    "datePublished": "2023-10-16T20:26:25.200Z",
    "dateReserved": "2023-10-04T16:02:46.330Z",
    "dateUpdated": "2024-09-13T19:00:16.296Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-45147\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-10-16T21:15:11.433\",\"lastModified\":\"2024-11-21T08:26:26.637\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discourse installation with the default plugins, this vulnerability has no impact. The problem has been patched in the latest version of Discourse. Users are advised to update to version 3.1.1 if they are on the stable branch or 3.2.0.beta2 if they are on the beta branch. Users unable to upgrade should disable any plugins that access topic custom fields.\"},{\"lang\":\"es\",\"value\":\"Discourse es una plataforma comunitaria de c\u00f3digo abierto. En las versiones afectadas, cualquier usuario puede crear un tema y agregar campos personalizados arbitrarios a un tema. La gravedad de esta vulnerabilidad depende de los complementos instalados y de c\u00f3mo los complementos utilizan los campos personalizados de temas. Para una instalaci\u00f3n predeterminada de Discourse con los complementos predeterminados, esta vulnerabilidad no tiene ning\u00fan impacto. El problema se solucion\u00f3 en la \u00faltima versi\u00f3n de Discourse. Se recomienda a los usuarios que actualicen a la versi\u00f3n 3.1.1 si est\u00e1n en la rama estable o 3.2.0.beta2 si est\u00e1n en la rama beta. Los usuarios que no puedan actualizar deben deshabilitar los complementos que accedan a los campos personalizados del tema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*\",\"versionEndIncluding\":\"3.1.1\",\"matchCriteriaId\":\"6AC25048-A9DA-4EB4-A05B-33B6348539CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:3.2.0:beta1:*:*:beta:*:*:*\",\"matchCriteriaId\":\"1BFF647B-6CEF-43BF-BF5E-C82B557F78E2\"}]}]}],\"references\":[{\"url\":\"https://github.com/discourse/discourse/security/advisories/GHSA-wm89-m359-f9qv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/discourse/discourse/security/advisories/GHSA-wm89-m359-f9qv\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.