CVE-2023-40588

Summary

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the stable branch and version 3.2.0.beta1 of the beta and tests-passed branches, a malicious user could add a 2FA or security key with a carefully crafted name to their account and cause a denial of service for other users. The issue is patched in version 3.1.1 of the stable branch and version 3.2.0.beta1 of the beta and tests-passed branches. There are no known workarounds.

Affected Software

VendorProductVersion RangeStatus
discoursediscoursestable < 3.1.1affected
discoursediscoursebeta < 3.2.0.beta1affected
discoursediscoursetests-passed < 3.2.0.beta1affected

Weaknesses

  • CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References