CVE-2023-49099

EPSS 0.32%
Veröffentlicht 12.01.2024 21:15:09
Zuletzt bearbeitet 21.11.2024 08:32:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Discourse secure uploads accessible to guests even when login is required

Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 4 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Discourse ≫ Discourse SwEditionstable Version < 3.1.4

Discourse ≫ Discourse Version3.2.0 Updatebeta1 SwEditionbeta

Discourse ≫ Discourse Version3.2.0 Updatebeta2 SwEditionbeta

Discourse ≫ Discourse Version3.2.0 Updatebeta3 SwEditionbeta

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.236

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
security-advisories@github.com	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/discourse/discourse/commit/1b288236387fc0a823e4f15f1aea8dde81b49d53

Patch

https://github.com/discourse/discourse/security/advisories/GHSA-j67x-x6mq-pwv4

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-49099

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-49099

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-49099

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-49099