Lucene search

GoogleOSV:BIT-DISCOURSE-2022-23548

HistoryMar 06, 2024 - 11:07 a.m.

BIT-discourse-2022-23548

2024-03-0611:07:21

Google

osv.dev

discourse

option source discussion

vulnerable parsing

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.7%

JSON

Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta16 on the beta and tests-passed branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.

CPENameOperatorVersion
discoursele2.9.0-beta6
discourselt2.8.14
discoursele2.9.0-beta10
discoursele2.9.0-beta13
discoursele2.9.0-beta12
discoursele2.9.0-beta3
discoursege2.9.0-beta7
discoursege2.9.0-beta8
discoursege2.9.0-beta6
discoursele2.9.0-beta4

Name	Operator	Version
discourse	le	2.9.0-beta6
discourse	lt	2.8.14
discourse	le	2.9.0-beta10
discourse	le	2.9.0-beta13
discourse	le	2.9.0-beta12
discourse	le	2.9.0-beta3
discourse	ge	2.9.0-beta7
discourse	ge	2.9.0-beta8
discourse	ge	2.9.0-beta6
discourse	le	2.9.0-beta4

Rows per page:

1-10 of 291

References

github.com/discourse/discourse/pull/19737

github.com/discourse/discourse/security/advisories/GHSA-7rw2-f4x7-7pxf

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.7%

JSON

Related for OSV:BIT-DISCOURSE-2022-23548