CVE-2023-38684 MEDIUM

CVE-2023-38684: Discourse vulnerable to ossible DDoS due to unbounded limits in various controller actions

Vendor Discourse
Product discourse
Weakness CWE-770 · Uncontrolled resource consumption
Published July 28, 2023
Last update October 10, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, in multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being accepted. Without an upper bound, the software may allow arbitrary users to generate DB queries which may end up exhausting the resources on the server. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

July 28, 2023 CVE published
October 10, 2024 Record updated