BIT-discourse-2022-23641

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2022-23641.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-discourse-2022-23641

Aliases

CVE-2022-23641

Published

2024-03-06T11:06:58.961Z

Modified

2025-01-17T15:26:01.971Z

Summary

[none]

Details

Discourse is an open source discussion platform. In versions prior to 2.8.1 in the stable branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an infinite loop, which cause memory leaks. This issue is patched in version 2.8.1 of the stable branch, 2.9.0.beta2 of the beta branch, and 2.9.0.beta2 of the tests-passed branch. As a workaround, disable onebox in admin panel completely or specify allow list of domains that will be oneboxed.

Database specific

{
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / discourse

Package

Name: discourse
Purl: pkg:bitnami/discourse

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.8.1