CVE-2022-39232 - OpenCVE

Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Version 2.9.0.beta10 added a fix and tests to ensure incomplete quotes won't break the app. As a workaround, the quote can be fixed via the rails console.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Discourse	Discourse

Configuration 1 [-]

OR	cpe:2.3:a:discourse:discourse:2.9.0:beta5::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta6::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta7::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta8::::::
	cpe:2.3:a:discourse:discourse:2.9.0:beta9::::::

No data.

References

Link	Providers
https://github.com/discourse/discourse/commit/eab33af5bf19827527fe79134d865b5c727f6530
https://github.com/discourse/discourse/pull/18311
https://github.com/discourse/discourse/security/advisories/GHSA-cv64-v73f-7wq5

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-09-29T20:15:14

Updated: 2024-08-03T12:00:42.578Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39232

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-29T21:15:11.210

Modified: 2023-07-11T21:02:11.580

Link: CVE-2022-39232

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "discourse", "vendor": "discourse", "versions": [{"status": "affected", "version": ">= 2.9.0.beta5, < 2.9.0.beta10"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Version 2.9.0.beta10 added a fix and tests to ensure incomplete quotes won't break the app. As a workaround, the quote can be fixed via the rails console."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-29T20:15:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-cv64-v73f-7wq5"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/pull/18311"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/eab33af5bf19827527fe79134d865b5c727f6530"}], "source": {"advisory": "GHSA-cv64-v73f-7wq5", "discovery": "UNKNOWN"}, "title": "Discourse vulnerable to incomplete quote causing a topic to crash in the browser", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-39232", "STATE": "PUBLIC", "TITLE": "Discourse vulnerable to incomplete quote causing a topic to crash in the browser"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "discourse", "version": {"version_data": [{"version_value": ">= 2.9.0.beta5, < 2.9.0.beta10"}]}}]}, "vendor_name": "discourse"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Version 2.9.0.beta10 added a fix and tests to ensure incomplete quotes won't break the app. As a workaround, the quote can be fixed via the rails console."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-cv64-v73f-7wq5", "refsource": "CONFIRM", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-cv64-v73f-7wq5"}, {"name": "https://github.com/discourse/discourse/pull/18311", "refsource": "MISC", "url": "https://github.com/discourse/discourse/pull/18311"}, {"name": "https://github.com/discourse/discourse/commit/eab33af5bf19827527fe79134d865b5c727f6530", "refsource": "MISC", "url": "https://github.com/discourse/discourse/commit/eab33af5bf19827527fe79134d865b5c727f6530"}]}, "source": {"advisory": "GHSA-cv64-v73f-7wq5", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:42.578Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-cv64-v73f-7wq5"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse/pull/18311"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse/commit/eab33af5bf19827527fe79134d865b5c727f6530"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-39232", "datePublished": "2022-09-29T20:15:14", "dateReserved": "2022-09-02T00:00:00", "dateUpdated": "2024-08-03T12:00:42.578Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:2.9.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "0086484D-0164-449C-8AAE-BE7479CB9706", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2.9.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "F9D1B031-96C7-44C0-A0A0-F67ABE55C93C", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2.9.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "750D2AD9-35E7-4AC7-9C22-AA90DAA34F3F", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2.9.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "B68E308A-BDAB-4614-A563-4460F7996CBE", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2.9.0:beta9:*:*:*:*:*:*", "matchCriteriaId": "5DEDE4C5-2C2A-4B74-BB41-8AAA0EE636E2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Version 2.9.0.beta10 added a fix and tests to ensure incomplete quotes won't break the app. As a workaround, the quote can be fixed via the rails console."}, {"lang": "es", "value": "Discourse es una plataforma de debate de c\u00f3digo abierto. A partir de la versi\u00f3n 2.9.0.beta5 y anteriores a 2.9.0.beta10, una cita incompleta puede generar un error de JavaScript que bloquear\u00e1 la p\u00e1gina actual en el navegador en algunos casos. La versi\u00f3n 2.9.0.beta10 ha a\u00f1adido una correcci\u00f3n y pruebas para garantizar que las cotizaciones incompletas no rompan la aplicaci\u00f3n. Como mitigaci\u00f3n, la cotizaci\u00f3n puede arreglarse por medio de la consola de rails"}], "id": "CVE-2022-39232", "lastModified": "2023-07-11T21:02:11.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-29T21:15:11.210", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/discourse/commit/eab33af5bf19827527fe79134d865b5c727f6530"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/discourse/discourse/pull/18311"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-cv64-v73f-7wq5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}