CVE-2021-41082
📋 TL;DR
Discourse had a vulnerability where private message titles and participant lists were exposed to unauthorized users when groups were included in messages. The vulnerability affected Discourse instances running the tests-passed branch during a brief 32-minute window. While message content remained protected, this information disclosure could reveal sensitive metadata about private conversations.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map organizational structures, identify private conversations between specific users/groups, and potentially use this information for social engineering or targeted attacks.
Likely Case
Unauthorized users see private message titles and participant lists in their inbox, revealing metadata about confidential discussions without accessing message content.
If Mitigated
With proper access controls, only authorized users see private message metadata, maintaining confidentiality of conversation participants and topics.
🎯 Exploit Status
Exploitation requires user access to the Discourse instance. The vulnerability was quickly reverted, limiting exposure window.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest commit on tests-passed branch after revert
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv
Restart Required: Yes
Instructions:
1. Update to latest commit on tests-passed branch
2. Restart Discourse application
3. Verify the fix by checking that private message metadata is no longer exposed to unauthorized users
🔧 Temporary Workarounds
Disable private messaging temporarily
allTemporarily disable private messaging feature to prevent information disclosure
# Edit Discourse site settings to disable private messaging
# This requires administrative access to the Discourse instance
🧯 If You Can't Patch
- Restrict user access to only trusted individuals during vulnerable period
- Monitor logs for unusual access patterns to private message metadata
🔍 How to Verify
Check if Vulnerable:
Check if your Discourse instance was running tests-passed branch during the 32-minute window when commit 27bad28c530c89acab35a56b945b6a3924280f4b was activeCheck Version:
Check Discourse admin panel or run: git log --oneline -1Verify Fix Applied:
Test with two user accounts: one with access to a private message containing a group, and one without. Verify unauthorized user cannot see the private message title or participants.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to private message metadata by unauthorized users
- Multiple users accessing same private message metadata without proper authorization
Network Indicators:
- Increased API calls to private message endpoints from unauthorized accounts
SIEM Query:
source="discourse" AND (event="private_message_access" OR event="message_metadata") AND user NOT IN authorized_users🔗 References
- https://github.com/discourse/discourse/commit/27bad28c530c89acab35a56b945b6a3924280f4b
- https://github.com/discourse/discourse/commit/ddb458343dc39a7a8c99467dcd809b444514fe2c
- https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv
- https://github.com/discourse/discourse/commit/27bad28c530c89acab35a56b945b6a3924280f4b
- https://github.com/discourse/discourse/commit/ddb458343dc39a7a8c99467dcd809b444514fe2c
- https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv
