CVE-2019-1020017 - OpenCVE

Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Discourse	Discourse

Configuration 1 [-]

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2.4.0:beta1::::::
	cpe:2.3:a:discourse:discourse:2.4.0:beta2::::::

No data.

References

Link	Providers
https://github.com/discourse/discourse/commit/b8340c6c8e50a71ff1bca9654b9126ca5a84ce9a
https://github.com/discourse/discourse/commit/e6e47f2fb22764c92aaa90445c7bf203192fba11

History

No history.

MITRE

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-29T12:25:59

Updated: 2024-08-05T03:14:15.909Z

Reserved: 2019-07-26T00:00:00

Link: CVE-2019-1020017

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-07-29T13:15:12.263

Modified: 2023-03-03T17:30:50.453

Link: CVE-2019-1020017

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Discourse", "vendor": "n/a", "versions": [{"status": "affected", "version": "< 2.3.0"}, {"status": "affected", "version": "2.4.0.beta1"}, {"status": "affected", "version": "2.4.0.beta2"}, {"status": "affected", "version": "fixed in 2.4.0.beta3"}]}], "descriptions": [{"lang": "en", "value": "Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP."}], "problemTypes": [{"descriptions": [{"description": "lacks a confirmation screen", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-09T18:56:05", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/b8340c6c8e50a71ff1bca9654b9126ca5a84ce9a"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/e6e47f2fb22764c92aaa90445c7bf203192fba11"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1020017", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Discourse", "version": {"version_data": [{"version_value": "< 2.3.0"}, {"version_value": "2.4.0.beta1"}, {"version_value": "2.4.0.beta2"}, {"version_value": "fixed in 2.4.0.beta3"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "lacks a confirmation screen"}]}]}, "references": {"reference_data": [{"name": "https://github.com/discourse/discourse/commit/b8340c6c8e50a71ff1bca9654b9126ca5a84ce9a", "refsource": "MISC", "url": "https://github.com/discourse/discourse/commit/b8340c6c8e50a71ff1bca9654b9126ca5a84ce9a"}, {"name": "https://github.com/discourse/discourse/commit/e6e47f2fb22764c92aaa90445c7bf203192fba11", "refsource": "MISC", "url": "https://github.com/discourse/discourse/commit/e6e47f2fb22764c92aaa90445c7bf203192fba11"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:14:15.909Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse/commit/b8340c6c8e50a71ff1bca9654b9126ca5a84ce9a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse/commit/e6e47f2fb22764c92aaa90445c7bf203192fba11"}]}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1020017", "datePublished": "2019-07-29T12:25:59", "dateReserved": "2019-07-26T00:00:00", "dateUpdated": "2024-08-05T03:14:15.909Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E4CD835-C559-4E72-92AE-346C3FF06EA7", "versionEndExcluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2.4.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "9F56245D-A74A-4AEB-89F5-37787AEBB0D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2.4.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "105421C3-A5FC-4842-ADB9-632478E2A543", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP."}, {"lang": "es", "value": "Discourse en versiones anteriores a la 2.3.0 y 2.4.x en versiones anteriores a la 2.4.0.beta3, carece de una pantalla de confirmaci\u00f3n cuando se inicia sesi\u00f3n mediante un usuario de la api OTP."}], "id": "CVE-2019-1020017", "lastModified": "2023-03-03T17:30:50.453", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-29T13:15:12.263", "references": [{"source": "josh@bress.net", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/b8340c6c8e50a71ff1bca9654b9126ca5a84ce9a"}, {"source": "josh@bress.net", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/e6e47f2fb22764c92aaa90445c7bf203192fba11"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}