CVE-2023-47121

Published: Nov 10, 2023Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, the embedding feature is susceptible to server side request forgery. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. As a workaround, disable the Embedding feature.

Affected (4)

Products: Discourse: Discourse

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	Before 3.2.0
Discourse Discourse	Before 3.1.3
Discourse Discourse	Version 3.2.0 beta1
Discourse Discourse	Version 3.2.0 beta2

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (6)

https://github.com/discourse/discourse/commit/24cca10da731734af4e9748de99a508d586e59f1

Source: security-advisories@github.com

Patch

https://github.com/discourse/discourse/commit/5f20748e402223b265e6fee381472c14e2604da6

Source: security-advisories@github.com

Patch

https://github.com/discourse/discourse/security/advisories/GHSA-hp24-94qf-8cgc

Source: security-advisories@github.com

Vendor Advisory

https://github.com/discourse/discourse/commit/24cca10da731734af4e9748de99a508d586e59f1

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/discourse/discourse/commit/5f20748e402223b265e6fee381472c14e2604da6

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/discourse/discourse/security/advisories/GHSA-hp24-94qf-8cgc

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.