CVE-2024-56197: 
NixOS vulnerability analysis and mitigation

Discourse, an open source platform for community discussion, was found to have a security vulnerability (CVE-2024-56197) where PM (Private Message) titles and metadata could be exposed to unauthorized users. The vulnerability was discovered and disclosed on February 4, 2025, affecting Discourse versions stable <= 3.3.3, beta <= 3.4.0.beta4, and tests-passed <= 3.4.0.beta4. The issue occurs when the 'PM tags allowed for groups' option is enabled and users are members of groups added to this option (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 2.2 (Low severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N. This indicates that while the vulnerability is network-accessible (AV:N), it requires high attack complexity (AC:H) and high privileges (PR:H). No user interaction is needed (UI:N), the scope is unchanged (S:U), and it only affects confidentiality at a low level (C:L) with no impact on integrity (I:N) or availability (A:N). The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (GitHub Advisory).

The vulnerability allows unauthorized users to read PM titles and metadata of tagged private messages when specific conditions are met. The impact is limited to confidentiality breaches of PM metadata, with no effect on system integrity or availability (GitHub Advisory).

The issue has been patched in the latest stable (>= 3.3.4), beta (>= 3.4.0.beta5), and tests-passed (>= 3.4.0.beta5) versions of Discourse. Users are advised to upgrade to these versions. For those unable to upgrade immediately, a workaround is available by removing all groups from the 'PM tags allowed for groups' option (GitHub Advisory).