Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to flood the database with a large amount of data. However it is unlikely this could be used as part of a DoS attack, as the paths reading back the reasons are only available to administrators. Starting in version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, a limit of 280 characters has been introduced for membership requests.
Attack Vector Network
Attack Complexity Low
Privileges Required Low
Scope Unchanged
Confidentiality Impact None
Integrity Impact None
Availability Impact Low
User Interaction None
No CVSS v3.0
No CVSS v2
Vendors | Products |
---|---|
Discourse |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
References
Link | Resource |
---|---|
https://github.com/discourse/discourse/commit/3e0cc4a5d9ef44ad902f6985d046ebb32f0a14ee | Patch Third Party Advisory |
https://github.com/discourse/discourse/commit/d5745d34c20c31a221039d8913f33064433003ea | Patch Third Party Advisory |
https://github.com/discourse/discourse/pull/19993 | Patch Third Party Advisory |
https://github.com/discourse/discourse/security/advisories/GHSA-6xff-p329-9pgf | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-01-27T00:00:00
Updated: 2023-01-27T00:00:00
Reserved: 2023-01-16T00:00:00
Link: CVE-2023-23616
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-01-28T00:15:09.070
Modified: 2023-02-08T17:48:21.090
Link: CVE-2023-23616
JSON object: View
Redhat Information
No data.
CWE