Lucene search

GitHub_MCVELIST:CVE-2023-22739

HistoryJan 26, 2023 - 8:45 a.m.

CVE-2023-22739 Discourse subject to Allocation of Resources Without Limits or Throttling

2023-01-2608:45:37

CWE-770

GitHub_M

www.cve.org

discourse

vulnerability

resource allocation

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

35.5%

JSON

Discourse is an open source platform for community discussion. Versions prior to 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed) are subject to Allocation of Resources Without Limits or Throttling. As there is no limit on data contained in a draft, a malicious user can create an arbitrarily large draft, forcing the instance to a crawl. This issue is patched in versions 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed). There are no workarounds.

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse",
    "versions": [
      {
        "version": "stable < 3.0.1",
        "status": "affected"
      },
      {
        "version": "beta < 3.1.0.beta2",
        "status": "affected"
      },
      {
        "version": "tests-passed <3.1.0.beta2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/discourse/discourse/security/advisories/GHSA-rqgr-g6v7-jcfc

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

35.5%

JSON

Related for CVELIST:CVE-2023-22739