What is the severity of CVE-2022-21677?

CVE-2022-21677 has a moderate severity level related to potential exposure of user visibility settings.

How do I fix CVE-2022-21677?

To fix CVE-2022-21677, upgrade to Discourse versions 2.8.0 or later, or apply the recommended patches.

What versions of Discourse are affected by CVE-2022-21677?

CVE-2022-21677 affects Discourse versions up to 2.7.12 and beta versions of 2.8.0 prior to the final release.

What impact does CVE-2022-21677 have on user privacy?

CVE-2022-21677 may lead to unauthorized visibility of group members and activities, impacting user privacy.

Is there a workaround for CVE-2022-21677?

A temporary workaround for CVE-2022-21677 is to manually adjust the visibility settings for newly created groups until the software is updated.

Vulnerability/
CVE-2022-21677

medium

5.3

CWE

200

14/1/2022

23/4/2025

CVE-2022-21677: Group advanced search option may leak group and group's members visibility

First published: Fri Jan 14 2022(Updated: )

Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group's members visibility set to public as well. However, a group's visibility and the group's members visibility can be configured such that it is restricted to logged on users, members of the group or staff users. A vulnerability has been discovered in versions prior to 2.7.13 and 2.8.0.beta11 where the group advanced search option does not respect the group's visibility and members visibility level. As such, a group with restricted visibility or members visibility can be revealed through search with the right search option. This issue is patched in `stable` version 2.7.13, `beta` version 2.8.0.beta11, and `tests-passed` version 2.8.0.beta11 versions of Discourse. There are no workarounds aside from upgrading.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse	<=2.7.12
Discourse	=2.8.0-beta1
Discourse	=2.8.0-beta10
Discourse	=2.8.0-beta2
Discourse	=2.8.0-beta3
Discourse	=2.8.0-beta4
Discourse	=2.8.0-beta5
Discourse	=2.8.0-beta6
Discourse	=2.8.0-beta7
Discourse	=2.8.0-beta8
Discourse	=2.8.0-beta9

Remedy

https://github.com/discourse/discourse/commit/fff8b98485561b12d070c0a8c39f4e503813ab44

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-21677?
CVE-2022-21677 has a moderate severity level related to potential exposure of user visibility settings.
How do I fix CVE-2022-21677?
To fix CVE-2022-21677, upgrade to Discourse versions 2.8.0 or later, or apply the recommended patches.
What versions of Discourse are affected by CVE-2022-21677?
CVE-2022-21677 affects Discourse versions up to 2.7.12 and beta versions of 2.8.0 prior to the final release.
What impact does CVE-2022-21677 have on user privacy?
CVE-2022-21677 may lead to unauthorized visibility of group members and activities, impacting user privacy.
Is there a workaround for CVE-2022-21677?
A temporary workaround for CVE-2022-21677 is to manually adjust the visibility settings for newly created groups until the software is updated.

agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/severity
agent/last-modified-date
agent/title
agent/remedy
agent/author
agent/description
agent/first-publish-date
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/discourse
canonical/discourse
version/discourse/2.7.12
version/discourse/2.8.0-beta1
version/discourse/2.8.0-beta10
version/discourse/2.8.0-beta2
version/discourse/2.8.0-beta3
version/discourse/2.8.0-beta4
version/discourse/2.8.0-beta5
version/discourse/2.8.0-beta6
version/discourse/2.8.0-beta7
version/discourse/2.8.0-beta8
version/discourse/2.8.0-beta9