Lucene search

GitHub_MCVELIST:CVE-2023-32301

HistoryJun 13, 2023 - 9:35 p.m.

CVE-2023-32301 Discourse's canonical url not being used for topic embeddings

2023-06-1321:35:38

CWE-116

GitHub_M

www.cve.org

discourse

canonical url

duplicate topics

issue

version 3.0.4

version 3.1.0.beta5

topic embedding

workaround

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

18.6%

JSON

Discourse is an open source discussion platform. Prior to version 3.0.4 of the stable branch and version 3.1.0.beta5 of the beta and tests-passed branches, multiple duplicate topics could be created if topic embedding is enabled. This issue is patched in version 3.0.4 of the stable branch and version 3.1.0.beta5 of the beta and tests-passed branches. As a workaround, disable topic embedding if it has been enabled.

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse",
    "versions": [
      {
        "version": "< 3.0.4",
        "status": "affected"
      },
      {
        "version": ">= 3.1.0.beta1, < 3.1.0.beta5",
        "status": "affected"
      }
    ]
  }
]

References

github.com/discourse/discourse/security/advisories/GHSA-p2jx-m2j5-hqh4

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

18.6%

JSON

Related for CVELIST:CVE-2023-32301