Admin-Initiated SSRF Attacks Vulnerability in Discourse-AI Plugin
CVE-2024-23654

4.1MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse-ai
Vendor: CVE Published:; 21 February 2024

What is CVE-2024-23654?

The Discourse AI plugin for the Discourse platform has a vulnerability that allows unauthorized admin-initiated Server-Side Request Forgery (SSRF) attacks. This vulnerability arises from interactions with various AI services, exposing the system to potential exploitation. Versions of the plugin affected by this issue have been addressed in later commits, specifically after commit 94ba0dadc2cf38e8f81c3936974c167219878edd, which contains the necessary patch. For immediate remediation, users can temporarily disable the discourse-ai plugin.

Affected Version(s)

discourse-ai < 94ba0dadc2cf38e8f81c3936974c167219878edd

References

https://github.com/discourse/discourse-ai/security/adviso...

x_refsource_CONFIRM

https://github.com/discourse/discourse-ai/commit/94ba0dad...

x_refsource_MISC

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Jan 19, 2024