Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2023-46241

Disclosure Date: February 21, 2024 •

CVE-2023-46241 CVSS v3 Base Score: 8.1

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

discourse-microsoft-auth is a plugin that enables authentication via Microsoft. On sites with the discourse-microsoft-auth plugin enabled, an attack can potentially take control of a victim’s Discourse account. Sites that have configured their application’s account type to any options other than Accounts in this organizational directory only (O365 only - Single tenant) are vulnerable. This vulnerability has been patched in commit c40665f44509724b64938c85def9fb2e79f62ec8 of discourse-microsoft-auth. A microsoft_auth:revoke rake task has also been added which will deactivate and log out all users that have connected their accounts to Microsoft. User API keys as well as API keys created by those users will also be revoked. The rake task will also remove the connection records to Microsoft for those users. This will allow affected users to re-verify their account emails as well as reconnect their Discourse account to Microsoft for authentication. As a workaround, disable the discourse-microsoft-auth plugin by setting the microsoft_auth_enabled site setting to false. Run the microsoft_auth:log_out_users rake task to log out all users with associated Microsoft accounts.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.1 High

Impact Score:

5.9

Exploitability Score:

2.2

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

High

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

discourse

Products

microsoft authentication

References

Canonical

CVE-2023-46241 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46241)

Miscellaneous

https://github.com/discourse/discourse-microsoft-auth/security/advisories/GHSA-2w32-w539-3m7r

https://github.com/discourse/discourse-microsoft-auth/commit/c40665f44509724b64938c85def9fb2e79f62ec8

https://learn.microsoft.com/en-us/security/zero-trust/develop/identity-supported-account-types

Rapid7

Unknown

CVE-2023-46241

Unknown

Unknown

None

None

Network

CVE-2023-46241

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2023-46241

Unknown

Unknown

None

None

Network

CVE-2023-46241

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification