CVE-2023-25169 - Vulnerability Details - OpenCVE

discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit `b3ab33bbf7` which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable the `yearly_review_enabled` setting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Discourse	Discourse Yearly Review

Configuration 1 [-]

cpe:2.3:a:discourse:discourse_yearly_review:*:*:*:*:*:discourse:*:*

No data.

References

Link	Providers
https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c
https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7

History

Tue, 25 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-03-06T17:40:45.721Z

Updated: 2025-02-25T15:01:17.448Z

Reserved: 2023-02-03T16:59:18.246Z

Link: CVE-2023-25169

Vulnrichment

Updated: 2024-08-02T11:18:35.674Z

NVD

Status : Modified

Published: 2023-03-06T18:15:10.473

Modified: 2024-11-21T07:49:14.607

Link: CVE-2023-25169

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-25169", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-02-03T16:59:18.246Z", "datePublished": "2023-03-06T17:40:45.721Z", "dateUpdated": "2025-02-25T15:01:17.448Z"}, "containers": {"cna": {"title": "Yearly Review Plugin leaking anonymised users data in discourse-yearly-review", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7"}, {"name": "https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c"}], "affected": [{"vendor": "discourse", "product": "discourse-yearly-review", "versions": [{"version": "< 0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-06T17:40:45.721Z"}, "descriptions": [{"lang": "en", "value": "discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit `b3ab33bbf7` which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable the `yearly_review_enabled` setting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually."}], "source": {"advisory": "GHSA-x2r8-v85c-x3x7", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:18:35.674Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7"}, {"name": "https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-25T14:30:22.661447Z", "id": "CVE-2023-25169", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T15:01:17.448Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7", "name": "https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c", "name": "https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:18:35.674Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-25169", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-25T14:30:22.661447Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:30:24.776Z"}}], "cna": {"title": "Yearly Review Plugin leaking anonymised users data in discourse-yearly-review", "source": {"advisory": "GHSA-x2r8-v85c-x3x7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse-yearly-review", "versions": [{"status": "affected", "version": "< 0.2"}]}], "references": [{"url": "https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7", "name": "https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c", "name": "https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit `b3ab33bbf7` which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable the `yearly_review_enabled` setting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-06T17:40:45.721Z"}}}, "cveMetadata": {"cveId": "CVE-2023-25169", "state": "PUBLISHED", "dateUpdated": "2025-02-25T15:01:17.448Z", "dateReserved": "2023-02-03T16:59:18.246Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-03-06T17:40:45.721Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse_yearly_review:*:*:*:*:*:discourse:*:*", "matchCriteriaId": "1C0B6C1E-A6EA-42E5-8DF9-85324D5BF5CB", "versionEndExcluding": "0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "discourse-yearly-review is a discourse plugin which publishes an automated Year in Review topic. In affected versions a user present in a yearly review topic that is then anonymised will still have some data linked to its original account. This issue has been patched in commit `b3ab33bbf7` which is included in the latest version of the Discourse Yearly Review plugin. Users are advised to upgrade. Users unable to upgrade may disable the `yearly_review_enabled` setting to fully mitigate the issue. Also, it's possible to edit the anonymised user's old data in the yearly review topics manually."}], "id": "CVE-2023-25169", "lastModified": "2024-11-21T07:49:14.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-06T18:15:10.473", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/discourse/discourse-yearly-review/commit/b3ab33bbf7130fca54764cf0336395a8a1eeaf3c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/discourse/discourse-yearly-review/security/advisories/GHSA-x2r8-v85c-x3x7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}