CVE-2022-39356: 
NixOS vulnerability analysis and mitigation

Discourse, a platform for community discussions, was found to contain a vulnerability (CVE-2022-39356) related to invitation link validation. The vulnerability was discovered and disclosed on November 1, 2022, affecting Discourse versions stable <= 2.8.9, beta <= 2.9.0.beta9, and tests-passed <= 2.9.0.beta9. The issue allowed users who received an invitation link not scoped to a single email address to potentially gain unauthorized access to non-admin user accounts (GitHub Advisory).

The vulnerability was classified with a CVSS v3.1 score of 5.3 (Medium) and was categorized under CWE-285 (Improper Authorization). The security flaw specifically involved the email validation process for invitation links, where links that were not restricted to specific email addresses could be exploited (NVD Database, GitHub Advisory).

The vulnerability could lead to unauthorized access to existing non-administrator accounts on Discourse platforms. By default, invitation links could only be generated by users with trust level 2 or above, but when exploited, the vulnerability allowed attackers to gain improper access to existing user accounts. Importantly, the vulnerability did not affect administrator accounts (GitHub Advisory).

The vulnerability was patched in versions stable >= 2.8.10, beta >= 2.9.0.beta10, and tests-passed >= 2.9.0.beta10. As part of the security measure, the fix automatically logged out any users who had previously logged in via an invite link, requiring them to re-authenticate. For those unable to update immediately, temporary workarounds included disabling invitations by setting SiteSetting.maxinvitesper_day = 0 or ensuring invitations were scoped to individual email addresses (GitHub Advisory).