CVE-2022-24850: 
NixOS vulnerability analysis and mitigation

Discourse, an open source platform for community discussion, was found to contain a vulnerability (CVE-2022-24850) where category group permissions could be leaked to users without proper authorization. The vulnerability was discovered and disclosed on April 14, 2022, affecting Discourse versions stable <= 2.8.2, beta <= 2.9.0.beta3, and tests-passed <= 2.9.0.beta3 (GitHub Advisory).

The vulnerability allows normal users to view a category's group permissions settings, including read/write permissions information, even though this information should only be accessible to users with category management privileges. The vulnerability has been assigned a CVSS v3.1 base score with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network vector, low attack complexity, no privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability results in unauthorized access to category group permissions settings. Users without proper authorization can view whether specific groups have read/write permissions in categories, potentially exposing sensitive access control information (GitHub Advisory).

The vulnerability has been patched in Discourse versions stable >= 2.8.3, beta >= 2.9.0.beta4, and tests-passed >= 2.9.0.beta4. There are no workarounds available for this vulnerability, making it essential to upgrade to a patched version (GitHub Advisory).