What is the severity of CVE-2022-41944?

CVE-2022-41944 has a moderate severity as it allows users to see notifications for topics they no longer have access to, potentially exposing sensitive information.

How do I fix CVE-2022-41944?

To fix CVE-2022-41944, update your Discourse application to version 2.8.12 or newer, or to version 2.9.0.beta13 or newer.

What versions of Discourse are affected by CVE-2022-41944?

CVE-2022-41944 affects Discourse versions prior to 2.8.12 and beta versions before 2.9.0.beta13.

What kind of information can be exposed by CVE-2022-41944?

CVE-2022-41944 can potentially expose sensitive information contained in topics that users are no longer permitted to access.

Is there a workaround for CVE-2022-41944 if I can't update my Discourse version?

There is no specified workaround for CVE-2022-41944; upgrading to a patched version is the recommended action.

Vulnerability/
CVE-2022-41944

medium

4.3

CWE

863 200

28/11/2022

23/4/2025

CVE-2022-41944: Discourse users can see notifications for topics they no longer have access to

First published: Mon Nov 28 2022(Updated: )

Discourse is an open-source discussion platform. In stable versions prior to 2.8.12 and beta or tests-passed versions prior to 2.9.0.beta.13, under certain conditions, a user can see notifications for topics they no longer have access to. If there is sensitive information in the topic title, it will therefore have been exposed. This issue is patched in stable version 2.8.12, beta version 2.9.0.beta13, and tests-passed version 2.9.0.beta13. There are no workarounds available.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse	<=2.8.11
Discourse	=2.9.0-beta1
Discourse	=2.9.0-beta10
Discourse	=2.9.0-beta11
Discourse	=2.9.0-beta12
Discourse	=2.9.0-beta2
Discourse	=2.9.0-beta3
Discourse	=2.9.0-beta4
Discourse	=2.9.0-beta5
Discourse	=2.9.0-beta6
Discourse	=2.9.0-beta7
Discourse	=2.9.0-beta8
Discourse	=2.9.0-beta9

Remedy

https://github.com/discourse/discourse/commit/c6ee28ec756436cc9ce154dd2c8e4c441f92f693

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-41944?
CVE-2022-41944 has a moderate severity as it allows users to see notifications for topics they no longer have access to, potentially exposing sensitive information.
How do I fix CVE-2022-41944?
To fix CVE-2022-41944, update your Discourse application to version 2.8.12 or newer, or to version 2.9.0.beta13 or newer.
What versions of Discourse are affected by CVE-2022-41944?
CVE-2022-41944 affects Discourse versions prior to 2.8.12 and beta versions before 2.9.0.beta13.
What kind of information can be exposed by CVE-2022-41944?
CVE-2022-41944 can potentially expose sensitive information contained in topics that users are no longer permitted to access.
Is there a workaround for CVE-2022-41944 if I can't update my Discourse version?
There is no specified workaround for CVE-2022-41944; upgrading to a patched version is the recommended action.

agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/author
agent/last-modified-date
agent/remedy
agent/severity
agent/weakness
agent/title
agent/first-publish-date
agent/description
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/discourse
canonical/discourse
version/discourse/2.8.11
version/discourse/2.9.0-beta1
version/discourse/2.9.0-beta10
version/discourse/2.9.0-beta11
version/discourse/2.9.0-beta12
version/discourse/2.9.0-beta2
version/discourse/2.9.0-beta3
version/discourse/2.9.0-beta4
version/discourse/2.9.0-beta5
version/discourse/2.9.0-beta6
version/discourse/2.9.0-beta7
version/discourse/2.9.0-beta8
version/discourse/2.9.0-beta9