Описание
Discourse is an open source discussion platform. In versions prior to 2.8.1 in the stable branch, 2.9.0.beta2 in the beta branch, and 2.9.0.beta2 in the tests-passed branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an infinite loop, which cause memory leaks. This issue is patched in version 2.8.1 of the stable branch, 2.9.0.beta2 of the beta branch, and 2.9.0.beta2 of the tests-passed branch. As a workaround, disable onebox in admin panel completely or specify allow list of domains that will be oneboxed.
Ссылки
- PatchThird Party Advisory
- PatchThird Party Advisory
- Issue TrackingThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Issue TrackingThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.8.1 (исключая)
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
EPSS
Процентиль: 67%
0.00543
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-835
CWE-835
EPSS
Процентиль: 67%
0.00543
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-835
CWE-835