CVE-2022-39226

Summary

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable branch and prior to 2.9.0.beta10 on the beta and tests-passed branches, a malicious actor can add large payloads of text into the Location and Website fields of a user profile, which causes issues for other users when loading that profile. A fix to limit the length of user input for these fields is included in version 2.8.9 on the stable branch and version 2.9.0.beta10 on the beta and tests-passed branches. There are no known workarounds.

Affected Software

VendorProductVersion RangeStatus
discoursediscourse< 2.8.9affected
discoursediscourse>= 2.9.0.beta0, < 2.9.0.beta10affected

Weaknesses

  • CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
  • CWE-20: CWE-20: Improper Input Validation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References