Admin-Initiated SSRF Attacks Vulnerability in Discourse-AI Plugin
CVE-2024-23654

7.2HIGH

Key Information:

Vendor: discourse
Status: discourse-ai
Vendor: CVE Published:; 21 February 2024

Summary

The Discourse AI plugin for the Discourse platform has a vulnerability that allows unauthorized admin-initiated Server-Side Request Forgery (SSRF) attacks. This vulnerability arises from interactions with various AI services, exposing the system to potential exploitation. Versions of the plugin affected by this issue have been addressed in later commits, specifically after commit 94ba0dadc2cf38e8f81c3936974c167219878edd, which contains the necessary patch. For immediate remediation, users can temporarily disable the discourse-ai plugin.

Affected Version(s)

discourse-ai < 94ba0dadc2cf38e8f81c3936974c167219878edd

References

https://github.com/discourse/discourse-ai/security/adviso...

x_refsource_CONFIRM

https://github.com/discourse/discourse-ai/commit/94ba0dad...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Jan 19, 2024