Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the SiteSetting
class, notably #clear_cache!
and #notify_changed!
, which when done on a multisite instance, can affect the entire cluster resulting in a denial of service. Users not running in multisite environments are not affected. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.
{ "cpes": [ "cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*", "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*", "cpe:2.3:a:discourse:discourse:3.1.0:beta1:*:*:beta:*:*:*", "cpe:2.3:a:discourse:discourse:3.1.0:beta2:*:*:beta:*:*:*" ], "severity": "Medium" }