CVE-2024-43789

Discourse is an open source platform for community discussion. A user can create a post with many replies, and then attempt to fetch them all at once. This can potentially reduce the availability of a Discourse instance. This problem has been patched in the latest version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-62cq-cpmc-hvqq	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse:::::stable:::*
	cpe:2.3:a:discourse:discourse:::::beta:::*
	cpe:2.3:a:discourse:discourse:3.4.0:-:::beta:::*

History

No history.

Information

Published : 2024-10-07 21:15

Updated : 2024-10-19 01:13

NVD link : CVE-2024-43789

Mitre link : CVE-2024-43789

CVE.ORG link : CVE-2024-43789

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-400

Uncontrolled Resource Consumption

NVD-CWE-noinfo

{"id": "CVE-2024-43789", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-10-07T21:15:16.710", "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-62cq-cpmc-hvqq", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open source platform for community discussion. A user can create a post with many replies, and then attempt to fetch them all at once. This can potentially reduce the availability of a Discourse instance. This problem has been patched in the latest version of Discourse. All users area are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Discourse es una plataforma de c\u00f3digo abierto para debates comunitarios. Un usuario puede crear una publicaci\u00f3n con muchas respuestas y luego intentar obtenerlas todas a la vez. Esto puede reducir potencialmente la disponibilidad de una instancia de Discourse. Este problema se ha corregido en la \u00faltima versi\u00f3n de Discourse. Se recomienda a todos los usuarios que actualicen la versi\u00f3n. No existen workarounds conocidas para esta vulnerabilidad."}], "lastModified": "2024-10-19T01:13:38.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*", "vulnerable": true, "matchCriteriaId": "F0E106D0-FFF5-4403-AEB9-D17876E0FE79", "versionEndExcluding": "3.3.1"}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*", "vulnerable": true, "matchCriteriaId": "2203A583-403B-4483-860A-460F22B9671E", "versionEndIncluding": "3.4.0"}, {"criteria": "cpe:2.3:a:discourse:discourse:3.4.0:-:*:*:beta:*:*:*", "vulnerable": true, "matchCriteriaId": "BAB3A427-361B-4FC1-859D-D871B080DEE8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}