CVE-2023-38498
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, a malicious user can prevent the defer queue from proceeding promptly on sites hosted in the same multisite installation. The issue is patched in version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches. There are no known workarounds for this vulnerability. Users of multisite configurations should upgrade.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| discourse | discourse | >= 3.1.0.beta1, < 3.1.0.beta7 | affected |
| discourse | discourse | < 3.0.6 | affected |
Weaknesses
- CWE-400: CWE-400: Uncontrolled Resource Consumption
- CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/discourse/discourse/security/advisories/GHSA-wv29-rm3f-4g2j
- https://github.com/discourse/discourse/commit/26e267478d785e2f32ee7da4613e2cf4a65ff182
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/discourse/discourse/security/advisories/GHSA-wv29-rm3f-4g2j
- https://github.com/discourse/discourse/commit/26e267478d785e2f32ee7da4613e2cf4a65ff182
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.