CVE-2023-45816: 
NixOS vulnerability analysis and mitigation

Discourse, an open source platform for community discussion, disclosed a security vulnerability (CVE-2023-45816) affecting versions prior to 3.1.3 of the stable branch and version 3.2.0.beta3 of the beta and tests-passed branches. The vulnerability was discovered and disclosed on November 10, 2023. The issue involves an edge case where bookmark reminders and unread notifications could be generated for content that users no longer have access to (GitHub Advisory).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 score of 3.3 (LOW). The vulnerability vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (NVD).

The vulnerability could potentially expose sensitive information through bookmark reminder notifications. When a bookmarked resource's security status changes (e.g., a post/topic is changed to a private message), users could still see the notification even though they no longer have access to the underlying content. The main risk is the potential exposure of topic titles if they contain sensitive information (GitHub Advisory).

The issue has been patched in version 3.1.3 of the stable branch and version 3.2.0.beta3 of the beta and tests-passed branches. The fix ensures that bookmark reminders are no longer sent if the user does not have access to the underlying bookmarkable, and unread bookmark notifications are always filtered by access. There are no known workarounds for this vulnerability (GitHub Advisory).