Lucene search

GitHub_MCVELIST:CVE-2024-21658

HistoryAug 30, 2024 - 5:18 p.m.

CVE-2024-21658 Insufficient control of region value length in discourse-calendar

2024-08-3017:18:40

CWE-400

GitHub_M

www.cve.org

cve-2024-21658

discourse-calendar

dynamic calendar

region value length

bandwidth

disk space

vulnerability

upgrade

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

EPSS

Percentile

16.5%

JSON

discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible.

CNA Affected

[
  {
    "vendor": "discourse",
    "product": "discourse-calendar",
    "versions": [
      {
        "version": "< 66259cd21dc6a1b2139d9833f3f847d8013e6759",
        "status": "affected"
      }
    ]
  }
]

References

github.com/discourse/discourse-calendar/security/advisories/GHSA-65f2-9ghp-x8h8

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

EPSS

Percentile

16.5%

JSON

Related for CVELIST:CVE-2024-21658