Headline
CVE-2022-31025
Discourse is an open source platform for community discussion. Prior to version 2.8.4 on the stable branch and 2.9.0beta5 on the beta and tests-passed branches, inviting users on sites that use single sign-on could bypass the must_approve_users check and invites by staff are always approved automatically. The issue is patched in Discourse version 2.8.4 on the stable branch and version 2.9.0.beta5 on the beta and tests-passed branches. As a workaround, disable invites or increase min_trust_level_to_allow_invite to reduce the attack surface to more trusted users.
Invite bypasses user approval
Package
Discourse (Discourse)
Affected versions
stable <= 2.8.3; beta <= 2.9.0.beta4; tests-passed <= 2.9.0.beta4
Patched versions
stable >= 2.8.4; beta >= 2.9.0.beta5; tests-passed >= 2.9.0.beta5
Description
Impact
Inviting users on sites that use SSO could bypass the must_approve_users check and invites by staff are always approved automatically.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse
Workarounds
Disable invites. Administrators can increase min_trust_level_to_allow_invite to reduce the attack surface to more trusted users (e.g. trust level 4).