Description
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, in multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being accepted. Without an upper bound, the software may allow arbitrary users to generate DB queries which may end up exhausting the resources on the server. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-ff7g-xv79-hgmf
Scores
CVSS v3
5.3
EPSS
0.0014
EPSS Percentile
33.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (5)
discourse/discourse
1.1.0 beta1 (9 CPE variants)
discourse/discourse
1.2.0 beta1 (9 CPE variants)
discourse/discourse
1.3.0 beta1 (11 CPE variants)
discourse/discourse
1.4.0 beta1 (12 CPE variants)
discourse/discourse
1.5.0 beta1 (9 CPE variants)
Published
Jul 28, 2023
Tracked Since
Feb 18, 2026