CVE-2023-38684
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, in multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being accepted. Without an upper bound, the software may allow arbitrary users to generate DB queries which may end up exhausting the resources on the server. The issue is patched in version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches. There are no known workarounds for this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| discourse | discourse | >= 3.1.0.beta1, < 3.1.0.beta7 | affected |
| discourse | discourse | < 3.0.6 | affected |
Weaknesses
- CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/discourse/discourse/security/advisories/GHSA-ff7g-xv79-hgmf
- https://github.com/discourse/discourse/commit/bfc3132bb22bd5b7e86f428746b89c4d3d7f5a70
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/discourse/discourse/security/advisories/GHSA-ff7g-xv79-hgmf
- https://github.com/discourse/discourse/commit/bfc3132bb22bd5b7e86f428746b89c4d3d7f5a70
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.