CVE-2021-43794

Summary

Discourse is an open source discussion platform. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown a JSON blob instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Affected Software

VendorProductVersion RangeStatus
discoursediscoursestable < 2.7.11affected
discoursediscoursebeta < 2.8.0.beta9affected
discoursediscoursetests-passed < 2.8.0.beta9affected

Weaknesses

  • CWE-610: CWE-610: Externally Controlled Reference to a Resource in Another Sphere

ADP Enrichment

CVE Program Container

Additional References

References