CVE-2024-23654

Published: Feb 21, 2024Modified: Feb 5, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

discourse-ai is the AI plugin for the open-source discussion platform Discourse. Prior to commit 94ba0dadc2cf38e8f81c3936974c167219878edd, interactions with different AI services are vulnerable to admin-initiated SSRF attacks. Versions of the plugin that include commit 94ba0dadc2cf38e8f81c3936974c167219878edd contain a patch. As a workaround, one may disable the discourse-ai plugin.

Affected (1)

Products: Discourse: Ai

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Discourse Ai	Before 2024-02-21

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/discourse/discourse-ai/commit/94ba0dadc2cf38e8f81c3936974c167219878edd

Source: security-advisories@github.com

Patch

https://github.com/discourse/discourse-ai/security/advisories/GHSA-32cj-rm2q-22cc

Source: security-advisories@github.com

Vendor Advisory

https://github.com/discourse/discourse-ai/commit/94ba0dadc2cf38e8f81c3936974c167219878edd

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/discourse/discourse-ai/security/advisories/GHSA-32cj-rm2q-22cc

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.