CVE-2022-36068: 
NixOS vulnerability analysis and mitigation

Discourse, an open source discussion platform, was affected by a security bypass vulnerability (CVE-2022-36068) that allowed moderators to create new and edit existing themes via the API when they should not have had this capability. The vulnerability affected versions prior to 2.8.9 on the 'stable' branch and prior to 2.9.0.beta10 on the 'beta' and 'tests-passed' branches (GitHub Advisory).

The vulnerability was caused by missing authorization controls in the API, which allowed moderators to bypass intended access restrictions for theme management. The vulnerability received a CVSS v3.1 score of 7.2 (High), with the following base metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: High, User Interaction: None, Scope: Unchanged, Confidentiality: High, Integrity: High, Availability: High (GitHub Advisory).

The vulnerability allowed moderators to gain unauthorized access to theme management functionality through the API, enabling them to create new themes and modify existing ones, which should have been restricted to administrators only (GitHub Advisory).

The vulnerability was patched in version 2.8.9 on the 'stable' branch and version 2.9.0.beta10 on the 'beta' and 'tests-passed' branches. The fix involved applying proper AdminConstraint for all theme-related routes and ensuring admin-level authorization checks (GitHub Advisory, GitHub Commit).