Headline
CVE-2022-39355: SECURITY: Check for email verification status during login (#92) · discourse/discourse-patreon@846d012
Discourse Patreon enables syncronization between Discourse Groups and Patreon rewards. On sites with Patreon login enabled, an improper authentication vulnerability could be used to take control of a victim’s forum account. This vulnerability is patched in commit number 846d012151514b35ce42a1636c7d70f6dcee879e of the discourse-patreon plugin. Out of an abundance of caution, any Discourse accounts which have logged in with an unverified-email Patreon account will be logged out and asked to verify their email address on their next login. As a workaround, disable the patreon integration and log out all users with associated Patreon accounts.
@@ -0,0 +1,47 @@ # frozen_string_literal: true
class DeleteUnverifiedPatreonUserInfo < ActiveRecord::Migration[6.1] def up execute <<~SQL DELETE FROM user_auth_tokens WHERE user_id IN ( SELECT user_id FROM user_associated_accounts WHERE provider_name = ‘patreon’ AND COALESCE(JSON_EXTRACT_PATH(extra::json, 'raw_info’, 'data’, 'attributes’, ‘is_email_verified’)::text, ‘false’) <> ‘true’ ) SQL
execute <<~SQL UPDATE user_api_keys SET revoked_at = NOW() WHERE user_id IN ( SELECT user_id FROM user_associated_accounts WHERE provider_name = ‘patreon’ AND COALESCE(JSON_EXTRACT_PATH(extra::json, 'raw_info’, 'data’, 'attributes’, ‘is_email_verified’)::text, ‘false’) <> ‘true’ ) SQL
execute <<~SQL UPDATE api_keys SET revoked_at = NOW() WHERE created_by_id IN ( SELECT user_id FROM user_associated_accounts WHERE provider_name = ‘patreon’ AND COALESCE(JSON_EXTRACT_PATH(extra::json, 'raw_info’, 'data’, 'attributes’, ‘is_email_verified’)::text, ‘false’) <> ‘true’ ) SQL
execute <<~SQL DELETE FROM user_associated_accounts WHERE provider_name = ‘patreon’ AND COALESCE(JSON_EXTRACT_PATH(extra::json, 'raw_info’, 'data’, 'attributes’, ‘is_email_verified’)::text, ‘false’) <> ‘true’ SQL end
def down # noop end end