CVE-2023-38706 MEDIUM

CVE-2023-38706: Discourse vulnerable to DoS via drafts

Vendor Discourse
Product discourse
Weakness CWE-770 · Uncontrolled resource consumption
Published September 15, 2023
Last update September 24, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user can create an unlimited number of drafts with very long draft keys which may end up exhausting the resources on the server. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds.

Key dates

02Disclosure timeline

September 15, 2023 CVE published
September 24, 2024 Record updated