7.5

CVE-2023-47120

Discourse DoS through Onebox favicon URL

Discourse is an open source platform for community discussion. In versions 3.1.0 through 3.1.2 of the `stable` branch and versions 3.1.0,beta6 through 3.2.0.beta2 of the `beta` and `tests-passed` branches, Redis memory can be depleted by crafting a site with an abnormally long favicon URL and drafting multiple posts which Onebox it. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DiscourseDiscourse SwEditionstable Version >= 3.1.0 < 3.1.3
DiscourseDiscourse Version3.1.0 Updatebeta6 SwEditionbeta
DiscourseDiscourse Version3.1.0 Updatebeta7 SwEditionbeta
DiscourseDiscourse Version3.1.0 Updatebeta8 SwEditionbeta
DiscourseDiscourse Version3.2.0 Updatebeta1 SwEditionbeta
DiscourseDiscourse Version3.2.0 Updatebeta2 SwEditionbeta
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.98% 0.577
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/discourse/discourse/commit/95a82d608d6377faf68a0e2c5d9640b043557852
Patch
https://github.com/discourse/discourse/commit/e910dd09140cb4abc3a563b95af4a137ca7fa0ce
Patch
https://github.com/discourse/discourse/security/advisories/GHSA-77cw-xhj8-hfp3
Vendor Advisory