CVE-2023-30606

Опубликовано: 18 апр. 2023

Источник: nvd

CVSS3: 4.2

CVSS3: 4.9

EPSS Низкий

Описание

Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the SiteSetting class, notably #clear_cache! and #notify_changed!, which when done on a multisite instance, can affect the entire cluster resulting in a denial of service. Users not running in multisite environments are not affected. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Ссылки

https://github.com/discourse/discourse/security/advisories/GHSA-jj93-w3mv-3jvv
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-jj93-w3mv-3jvv
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*

Версия до 3.0.1 (включая)

cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*

Версия до 3.1.0 (исключая)

cpe:2.3:a:discourse:discourse:3.1.0:beta1:*:*:beta:*:*:*

cpe:2.3:a:discourse:discourse:3.1.0:beta2:*:*:beta:*:*:*

EPSS

Процентиль: 17%

0.00052

Низкий

4.2 Medium

CVSS3

4.9 Medium

CVSS3

Дефекты

CWE-732

EPSS

Процентиль: 17%

0.00052

Низкий

4.2 Medium

CVSS3

4.9 Medium

CVSS3

Дефекты

CWE-732