CVE-2022-46177: 
NixOS vulnerability analysis and mitigation

Discourse, an open-source discussion platform, was affected by a vulnerability (CVE-2022-46177) prior to version 2.8.14 on the 'stable' branch and version 3.0.0.beta16 on the 'beta' and 'tests-passed' branches. The vulnerability was related to password reset functionality, where when a user requests a password reset link email and then changes their primary email, the old reset email would remain valid (GitHub Advisory).

The vulnerability occurs in the password reset process where email tokens remain valid even after email changes. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email. The vulnerability received a CVSS v3.1 base score of 8.1 HIGH from NVD (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and 5.7 MEDIUM from GitHub (Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N). The vulnerability is classified under CWE-613 (Insufficient Session Expiration) (NVD).

If exploited, this vulnerability could lead to account takeover if the old email address is compromised or has transferred ownership. The impact is partially mitigated by the SiteSetting 'email_token_valid_hours' which defaults to 48 hours (GitHub Advisory).

Users should upgrade to versions 2.8.14 or 3.0.0.beta16 or later to receive the patch. As a temporary workaround, administrators can lower the 'email_token_valid_hours' setting as needed to reduce the window of vulnerability (GitHub Advisory).