{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27100", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-19T14:43:05.994Z", "datePublished": "2024-03-15T19:21:49.443Z", "dateUpdated": "2024-06-04T17:46:44.223Z"}, "containers": {"cna": {"title": "Denial of service via Staff Actions in Discourse", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc"}, {"name": "https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": "stable <= 3.2.0", "status": "affected"}, {"version": "beta <= 3.3.0.beta1", "status": "affected"}, {"version": "tests-passed <= 3.3.0.beta1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-15T19:21:49.443Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren't enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-xq4v-qg27-gxgc", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27100", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-18T16:16:38.459832Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:46:44.223Z"}}]}}

{"descriptions": [{"lang": "en", "value": "Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren't enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Discourse es una plataforma de c\u00f3digo abierto para el debate comunitario. En las versiones afectadas, los endpoints para suspender usuarios, silenciar usuarios y exportar archivos CSV no impon\u00edan l\u00edmites en los tama\u00f1os de los par\u00e1metros que aceptaban. Esto podr\u00eda provocar un consumo excesivo de recursos que podr\u00eda dejar una instancia inoperable. Un sitio podr\u00eda verse interrumpido por un moderador malintencionado en el mismo sitio o por un miembro del personal malicioso en otro sitio en el mismo cl\u00faster multisitio. Este problema est\u00e1 solucionado en las \u00faltimas versiones estable, beta y de prueba de Discourse. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-27100", "lastModified": "2024-03-17T22:38:29.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-15T20:15:08.490", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}