7.5

CVE-2023-28111

Discourse vulnerable to SSRF protection bypass possible with IPv4-mapped IPv6 addresses

Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, attackers are able to bypass Discourse's server-side request forgery (SSRF) protection for private IPv4 addresses by using a IPv4-mapped IPv6 address. The issue is patched in the latest beta and tests-passed version of Discourse. version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DiscourseDiscourse SwEditionbeta Version < 3.1.0
DiscourseDiscourse Version3.1.0 Updatebeta1 SwEditionbeta
DiscourseDiscourse Version3.1.0 Updatebeta2 SwEditionbeta
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.56% 0.418
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 5.7 2.1 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/discourse/discourse/commit/fd16eade7fcc6bba4b71e71106a2eb13cdfdae4a
Patch
https://github.com/discourse/discourse/pull/20710
Patch
https://github.com/discourse/discourse/security/advisories/GHSA-26h3-8ww8-v5fc
Vendor Advisory