CVE Vulnerabilities

CVE-2022-46168

Exposure of Private Personal Information to an Unauthorized Actor

Published: Jan 05, 2023 | Modified: Nov 21, 2024
CVSS 3.x
3.5
LOW
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta15 on the beta and tests-passed branches, recipients of a group SMTP email could see the email addresses of all other users inside the group SMTP topic. Most of the time this is not an issue as they are likely already familiar with one anothers email addresses. This issue is patched in versions 2.8.14 and 2.9.0.beta15. The fix is that someone sending emails out via group SMTP to non-staged users masks those emails with blind carbon copy (BCC). Staged users are ones that have likely only interacted with the group via email, and will likely include other people who were CCd on the original email to the group. As a workaround, disable group SMTP for any groups that have it enabled.

Weakness

The product does not properly prevent a person’s private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Affected Software

Name Vendor Start Version End Version
Discourse Discourse * 2.8.14 (excluding)
Discourse Discourse 2.9.0-beta1 (including) 2.9.0-beta1 (including)
Discourse Discourse 2.9.0-beta10 (including) 2.9.0-beta10 (including)
Discourse Discourse 2.9.0-beta11 (including) 2.9.0-beta11 (including)
Discourse Discourse 2.9.0-beta12 (including) 2.9.0-beta12 (including)
Discourse Discourse 2.9.0-beta13 (including) 2.9.0-beta13 (including)
Discourse Discourse 2.9.0-beta14 (including) 2.9.0-beta14 (including)
Discourse Discourse 2.9.0-beta2 (including) 2.9.0-beta2 (including)
Discourse Discourse 2.9.0-beta3 (including) 2.9.0-beta3 (including)
Discourse Discourse 2.9.0-beta4 (including) 2.9.0-beta4 (including)
Discourse Discourse 2.9.0-beta5 (including) 2.9.0-beta5 (including)
Discourse Discourse 2.9.0-beta6 (including) 2.9.0-beta6 (including)
Discourse Discourse 2.9.0-beta7 (including) 2.9.0-beta7 (including)
Discourse Discourse 2.9.0-beta8 (including) 2.9.0-beta8 (including)
Discourse Discourse 3.0.0-beta15 (including) 3.0.0-beta15 (including)

Potential Mitigations

  • Identify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability and Accountability Act (HIPAA) [REF-342], General Data Protection Regulation (GDPR) [REF-1047], California Consumer Privacy Act (CCPA) [REF-1048], and others.
  • Carefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which private data can be handled unsafely, a common risk stems from misplaced trust. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted.

References