Lucene search

[email protected]CVE-2021-3138

HistoryJan 14, 2021 - 4:15 a.m.

CVE-2021-3138

2021-01-1404:15:00

CWE-307

[email protected]

web.nvd.nist.gov

cve-2021-3138

discourse

rate-limit bypass

2fa

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.018 Low

EPSS

Percentile

88.0%

JSON

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.

CPENameOperatorVersion
discourse:discoursediscourseeq2.7.0
discourse:discoursediscoursele2.6.0

CPE	Name	Operator	Version
discourse:discourse	discourse	eq	2.7.0
discourse:discourse	discourse	le	2.6.0

References

packetstormsecurity.com/files/162256/Discourse-2.7.0-2FA-Bypass.html

github.com/discourse/discourse/releases

github.com/Mesh3l911/Disource

Social References

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.018 Low

EPSS

Percentile

88.0%

JSON

Related for CVE-2021-3138

prion1 openvas1 zdt1 osv2 exploitdb1 githubexploit1 cnvd1 packetstorm1