CVE-2022-39241
moderate-risk
Published 2022-11-02
Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest `stable`, `beta`, and `test-passed` versions are now patched. As a workaround, self-hosters can use `DISCOURSE_BLOCKED_IP_BLOCKS` env var (which overrides `blocked_ip_blocks` setting) to stop webhooks from accessing private IPs.
Do I need to act?
-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.6/10
High
NETWORK
/ LOW complexity
Affected Products (11)
Affected Vendors
References (2)
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr
44
/ 100
moderate-risk
Severity
27/34 · High
Exploitability
1/34 · Minimal
Exposure
16/34 · Moderate