Lucene search

K
cvelistGitHub_MCVELIST:CVE-2023-22739
HistoryJan 26, 2023 - 8:45 a.m.

CVE-2023-22739 Discourse subject to Allocation of Resources Without Limits or Throttling

2023-01-2608:45:37
CWE-770
GitHub_M
www.cve.org
discourse
vulnerability
resource allocation

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.9%

Discourse is an open source platform for community discussion. Versions prior to 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed) are subject to Allocation of Resources Without Limits or Throttling. As there is no limit on data contained in a draft, a malicious user can create an arbitrarily large draft, forcing the instance to a crawl. This issue is patched in versions 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed). There are no workarounds.

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse",
    "versions": [
      {
        "version": "stable < 3.0.1",
        "status": "affected"
      },
      {
        "version": "beta < 3.1.0.beta2",
        "status": "affected"
      },
      {
        "version": "tests-passed <3.1.0.beta2",
        "status": "affected"
      }
    ]
  }
]

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.9%

Related for CVELIST:CVE-2023-22739