Anonymous Cache Poisoning Vulnerability in Discourse Affects Only Anonymous Visitors
CVE-2024-47773

8.2HIGH

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 8 October 2024

Summary

A vulnerability exists in the Discourse platform, an open-source solution for community discussions, allowing attackers to exploit a cache poisoning issue. This vulnerability primarily affects anonymous visitors who may encounter manipulated responses due to repeatedly made XHR requests. Once attacked, the cache can deliver unauthorized content, compromising the integrity of user interactions. The issue has been addressed in the latest version of Discourse, and users are strongly encouraged to upgrade. Those who cannot upgrade should disable the anonymous cache by configuring the DISCOURSE_DISABLE_ANON_CACHE environment variable accordingly.

Affected Version(s)

discourse stable: < 3.3.2 < stable: 3.3.2

discourse tests-passed: < 3.4.0.beta2 < tests-passed: 3.4.0.beta2

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 8, 2024
Vulnerability Reserved
Sep 30, 2024