CVE-2023-38684

high-risk
Published 2023-07-28

Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, in multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being accepted. Without an upper bound, the software may allow arbitrary users to generate DB queries which may end up exhausting the resources on the server. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability.

Do I need to act?

-
0.15% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Discourse

References (4)

Patch https://github.com/discourse/discourse/commit/bfc3132bb22bd5b7e86f428746b89c4d3d...
Vendor Advisory https://github.com/discourse/discourse/security/advisories/GHSA-ff7g-xv79-hgmf
Patch https://github.com/discourse/discourse/commit/bfc3132bb22bd5b7e86f428746b89c4d3d...
Vendor Advisory https://github.com/discourse/discourse/security/advisories/GHSA-ff7g-xv79-hgmf
55
/ 100
high-risk
Severity 21/34 · High
Exploitability 1/34 · Minimal
Exposure 33/34 · Critical