CVE-2024-21658

discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse-calendar/security/advisories/GHSA-65f2-9ghp-x8h8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:discourse:discourse_calendar:*:*:*:*:*:discourse:*:*

History

No history.

Information

Published : 2024-08-30 18:15

Updated : 2024-09-05 14:39

NVD link : CVE-2024-21658

Mitre link : CVE-2024-21658

CVE.ORG link : CVE-2024-21658

JSON object : View

Products Affected

discourse

discourse_calendar

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2024-21658", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-08-30T18:15:06.717", "references": [{"url": "https://github.com/discourse/discourse-calendar/security/advisories/GHSA-65f2-9ghp-x8h8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "discourse-calendar is a discourse plugin which adds the ability to create a dynamic calendar in the first post of a topic. The limit on region value length is too generous. This allows a malicious actor to cause a Discourse instance to use excessive bandwidth and disk space. This issue has been patched in main the main branch. There are no workarounds for this vulnerability. Please upgrade as soon as possible."}, {"lang": "es", "value": "Discourse-calendar es un complemento de Discourse que agrega la capacidad de crear un calendario din\u00e1mico en la primera publicaci\u00f3n de un tema. El l\u00edmite de longitud del valor de la regi\u00f3n es demasiado generoso. Esto permite que un actor malintencionado haga que una instancia de Discourse use un ancho de banda y espacio en disco excesivos. Este problema se ha corregido en la rama principal. No hay workarounds para esta vulnerabilidad. Actualice lo antes posible."}], "lastModified": "2024-09-05T14:39:07.033", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse_calendar:*:*:*:*:*:discourse:*:*", "vulnerable": true, "matchCriteriaId": "EB12625B-F7A9-4407-9CC3-2CBB9E5CB2A2", "versionEndExcluding": "2024-08-28"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}