CVE-2022-39378: 
NixOS vulnerability analysis and mitigation

A vulnerability in Discourse, a platform for community discussion, was discovered where user badges could potentially leak topic titles to users without proper access permissions. The vulnerability, identified as CVE-2022-39378, affects Discourse versions stable <= 2.8.9, beta <= 2.9.0.beta10, and tests-passed <= 2.9.0.beta10. The issue was disclosed on November 1, 2022 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Moderate severity). The CVSS metrics indicate that the vulnerability can be exploited over the network (Attack Vector: Network), requires low attack complexity (Attack Complexity: Low), needs no privileges (Privileges Required: None), and requires no user interaction (User Interaction: None). The scope is unchanged, with low impact on confidentiality and no impact on integrity or availability. The complete CVSS string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

The vulnerability could result in the exposure of sensitive information contained in topic titles. When a user badge was awarded based on activity in a restricted-access topic, the associated topic title could be viewed by any user, regardless of their access permissions. This could lead to the unintended disclosure of sensitive information embedded in topic titles (GitHub Advisory).

The vulnerability has been patched in versions after stable 2.8.9, beta 2.9.0.beta10, and tests-passed 2.9.0.beta10. No workarounds are available for this vulnerability, making it crucial for affected users to upgrade to the patched versions (GitHub Advisory).