CVE-2022-39241
7.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Summary
Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a workaround, self-hosters can use DISCOURSE_BLOCKED_IP_BLOCKS env var (which overrides blocked_ip_blocks setting) to stop webhooks from accessing private IPs.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| discourse | discourse | <= 2.8.9 | affected |
| discourse | discourse | <= 2.9.0.beta10 | affected |
Weaknesses
- CWE-918: CWE-918: Server-Side Request Forgery (SSRF)
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.