CVE-2022-24824

Published: Apr 14, 2022Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Discourse is an open source platform for community discussion. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no known workarounds for this issue.

Affected (4)

Products: Discourse: Discourse

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Before 2.8.3
Discourse Discourse	Version 2.9.0 beta1
Discourse Discourse	Version 2.9.0 beta2
Discourse Discourse	Version 2.9.0 beta3

Related CWEs

Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References (4)

https://github.com/discourse/discourse/commit/b72b0dac10493d09f4f9eb8f3c3ce7817295e34e

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/discourse/discourse/security/advisories/GHSA-46v9-3jc4-f53w

Source: security-advisories@github.com

Third Party Advisory

https://github.com/discourse/discourse/commit/b72b0dac10493d09f4f9eb8f3c3ce7817295e34e

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/discourse/discourse/security/advisories/GHSA-46v9-3jc4-f53w

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.