CVE-2022-31060 - Vulnerability Details - OpenCVE

Discourse is an open-source discussion platform. Prior to version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches of Discourse. As a workaround, one may disable banners.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Discourse	Discourse

Configuration 1 [-]

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta1::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta2::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta3::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta4::::::

No data.

References

Link	Providers
https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a
https://github.com/discourse/discourse/pull/17071
https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq

History

Wed, 23 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-06-14T20:15:17.000Z

Updated: 2025-04-23T18:16:04.855Z

Reserved: 2022-05-18T00:00:00.000Z

Link: CVE-2022-31060

Vulnrichment

Updated: 2024-08-03T07:03:40.234Z

NVD

Status : Modified

Published: 2022-06-14T21:15:16.317

Modified: 2024-11-21T07:03:48.653

Link: CVE-2022-31060

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "discourse", "vendor": "discourse", "versions": [{"status": "affected", "version": "stable < 2.8.4"}, {"status": "affected", "version": "beta <= 2.9.0.beta4"}, {"status": "affected", "version": "tests-passed <= 2.9.0.beta4"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches of Discourse. As a workaround, one may disable banners."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-14T20:15:16.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/pull/17071"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a"}], "source": {"advisory": "GHSA-5f4f-35fx-gqhq", "discovery": "UNKNOWN"}, "title": "Banner topic data is exposed on login-required Discourse sites", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31060", "STATE": "PUBLIC", "TITLE": "Banner topic data is exposed on login-required Discourse sites"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "discourse", "version": {"version_data": [{"version_value": "stable < 2.8.4"}, {"version_value": "beta <= 2.9.0.beta4"}, {"version_value": "tests-passed <= 2.9.0.beta4"}]}}]}, "vendor_name": "discourse"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Discourse is an open-source discussion platform. Prior to version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches of Discourse. As a workaround, one may disable banners."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq", "refsource": "CONFIRM", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq"}, {"name": "https://github.com/discourse/discourse/pull/17071", "refsource": "MISC", "url": "https://github.com/discourse/discourse/pull/17071"}, {"name": "https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a", "refsource": "MISC", "url": "https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a"}]}, "source": {"advisory": "GHSA-5f4f-35fx-gqhq", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:03:40.234Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse/pull/17071"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:54:14.258540Z", "id": "CVE-2022-31060", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T18:16:04.855Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31060", "datePublished": "2022-06-14T20:15:17.000Z", "dateReserved": "2022-05-18T00:00:00.000Z", "dateUpdated": "2025-04-23T18:16:04.855Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/discourse/discourse/pull/17071", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:03:40.234Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-31060", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T15:54:14.258540Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:54:15.771Z"}}], "cna": {"title": "Banner topic data is exposed on login-required Discourse sites", "source": {"advisory": "GHSA-5f4f-35fx-gqhq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": "stable < 2.8.4"}, {"status": "affected", "version": "beta <= 2.9.0.beta4"}, {"status": "affected", "version": "tests-passed <= 2.9.0.beta4"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/pull/17071", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches of Discourse. As a workaround, one may disable banners."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-06-14T20:15:16.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, "source": {"advisory": "GHSA-5f4f-35fx-gqhq", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "stable < 2.8.4"}, {"version_value": "beta <= 2.9.0.beta4"}, {"version_value": "tests-passed <= 2.9.0.beta4"}]}, "product_name": "discourse"}]}, "vendor_name": "discourse"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq", "refsource": "CONFIRM"}, {"url": "https://github.com/discourse/discourse/pull/17071", "name": "https://github.com/discourse/discourse/pull/17071", "refsource": "MISC"}, {"url": "https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a", "name": "https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Discourse is an open-source discussion platform. Prior to version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches of Discourse. As a workaround, one may disable banners."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-31060", "STATE": "PUBLIC", "TITLE": "Banner topic data is exposed on login-required Discourse sites", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-31060", "state": "PUBLISHED", "dateUpdated": "2025-04-23T18:16:04.855Z", "dateReserved": "2022-05-18T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-06-14T20:15:17.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "33A8F935-CC56-40AD-ADA9-C13AB1B1371A", "versionEndExcluding": "2.8.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "B3803EF9-A296-42B7-887F-93C5E68E94C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "8BA3D313-3C11-43E2-A47D-CBB532D1B6F8", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "6F42673E-65F3-4807-9484-20CB747420FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2.9.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "0B91D023-FCE5-4866-AD8B-BBB675763104", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches, banner topic data is exposed on login-required sites. This issue is patched in version 2.8.4 in the `stable` branch and version `2.9.0.beta5` in the `beta` and `tests-passed` branches of Discourse. As a workaround, one may disable banners."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. En versiones anteriores a 2.8.4 en la rama \"stable\" y la versi\u00f3n \"2.9.0.beta5\" en las ramas \"beta\" y \"tests-passed\", los datos de los temas de los banners est\u00e1n expuestos en los sitios que requieren inicio de sesi\u00f3n. Este problema ha sido corregido en versi\u00f3n 2.8.4 de la rama \"stable\" y en la versi\u00f3n \"2.9.0.beta5\" de las ramas \"beta\" y \"tests-passed\" de Discourse. Como mitigaci\u00f3n, pueden deshabllitarse los banners"}], "id": "CVE-2022-31060", "lastModified": "2024-11-21T07:03:48.653", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-14T21:15:16.317", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/discourse/pull/17071"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/discourse/commit/ae6a9079436fb9b20fd051d25fb6d8027f0ec59a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/discourse/pull/17071"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-5f4f-35fx-gqhq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}