Discourse vulnerable to ReDoS in user agent parsing
CVE-2023-23621

7.5HIGH

Key Information:

Vendor
discourse
Status
discourse
Vendor
CVE Published:
28 January 2023

Summary

Discourse, the open-source discussion platform, is affected by a vulnerability that permits a malicious individual to exploit the system through a specially crafted user agent, leading to a regular expression denial of service. This vulnerability impacts versions before 3.0.1 on the stable branch and 3.1.0.beta2 on the beta and tests-passed branches. The flaw has been patched in the specified versions, ensuring the platform's security against this type of attack, which can degrade service availability.

Affected Version(s)

discourse < 3.0.1 < 3.0.1

discourse = 3.1.0.beta1 = 3.1.0.beta1

References

https://github.com/discourse/discourse/security/advisorie...
x_refsource_CONFIRM
https://github.com/discourse/discourse/pull/20002
x_refsource_MISC
https://github.com/discourse/discourse/commit/6d92c3cbdac...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.