Lucene search

GoogleOSV:BIT-DISCOURSE-2023-22739

HistoryMar 06, 2024 - 11:01 a.m.

BIT-discourse-2023-22739

2024-03-0611:01:16

Google

osv.dev

discourse

open source

community discussion

vulnerable

resource allocation

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

35.5%

JSON

Discourse is an open source platform for community discussion. Versions prior to 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed) are subject to Allocation of Resources Without Limits or Throttling. As there is no limit on data contained in a draft, a malicious user can create an arbitrarily large draft, forcing the instance to a crawl. This issue is patched in versions 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed). There are no workarounds.

References

github.com/discourse/discourse/security/advisories/GHSA-rqgr-g6v7-jcfc

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

35.5%

JSON

Related for OSV:BIT-DISCOURSE-2023-22739