Lucene search

[email protected]NVD:CVE-2024-21658

HistoryAug 30, 2024 - 6:15 p.m.

CVE-2024-21658

2024-08-3018:15:06

CWE-400

CWE-770

[email protected]

web.nvd.nist.gov

discourse-calendar

malicious actor

bandwidth usage

disk space

vulnerability

upgrade

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

EPSS

Percentile

16.5%

JSON

discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible.

Affected configurations

Nvd

Node

discoursediscourse_calendarRange<2024-08-28discourse

VendorProductVersionCPE
discoursediscourse_calendar*cpe:2.3:a:discourse:discourse_calendar:*:*:*:*:*:discourse:*:*

Vendor	Product	Version	CPE
discourse	discourse_calendar	*	cpe:2.3:a:discourse:discourse_calendar::::::discourse::*

References

github.com/discourse/discourse-calendar/security/advisories/GHSA-65f2-9ghp-x8h8

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

EPSS

Percentile

16.5%

JSON

Related for NVD:CVE-2024-21658

vulnrichment1 cve1 cvelist1