Lucene search

GitHub_MCVE-2024-21658

HistoryAug 30, 2024 - 6:15 p.m.

CVE-2024-21658

2024-08-3018:15:06

CWE-770

CWE-400

GitHub_M

web.nvd.nist.gov

discourse-calendar

dynamic calendar

region value

bandwidth

disk space

vulnerability

upgrade

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

AI Score

6.8

Confidence

High

EPSS

Percentile

16.5%

JSON

discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible.

Affected configurations

Nvd

Vulners

Node

discoursediscourse_calendarRange<2024-08-28discourse

VendorProductVersionCPE
discoursediscourse_calendar*cpe:2.3:a:discourse:discourse_calendar:*:*:*:*:*:discourse:*:*

Vendor	Product	Version	CPE
discourse	discourse_calendar	*	cpe:2.3:a:discourse:discourse_calendar::::::discourse::*

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse-calendar",
    "versions": [
      {
        "version": "< 66259cd21dc6a1b2139d9833f3f847d8013e6759",
        "status": "affected"
      }
    ]
  }
]

References

github.com/discourse/discourse-calendar/security/advisories/GHSA-65f2-9ghp-x8h8

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

AI Score

6.8

Confidence

High

EPSS

Percentile

16.5%

JSON

Related for CVE-2024-21658