7.6

CVE-2022-39241

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest `stable`, `beta`, and `test-passed` versions are now patched. As a workaround, self-hosters can use `DISCOURSE_BLOCKED_IP_BLOCKS` env var (which overrides `blocked_ip_blocks` setting) to stop webhooks from accessing private IPs.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DiscourseDiscourse Version < 2.8.10
DiscourseDiscourse Version2.9.0 Updatebeta1
DiscourseDiscourse Version2.9.0 Updatebeta10
DiscourseDiscourse Version2.9.0 Updatebeta2
DiscourseDiscourse Version2.9.0 Updatebeta3
DiscourseDiscourse Version2.9.0 Updatebeta4
DiscourseDiscourse Version2.9.0 Updatebeta5
DiscourseDiscourse Version2.9.0 Updatebeta6
DiscourseDiscourse Version2.9.0 Updatebeta7
DiscourseDiscourse Version2.9.0 Updatebeta8
DiscourseDiscourse Version2.9.0 Updatebeta9
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.29% 0.522
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.9 1.2 3.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 7.6 2.3 4.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.