Skip to content

Onebox susceptible to DoS

Moderate
jomaxro published GHSA-22xw-f62v-cfxv Feb 15, 2022

Package

Onebox (Discourse)

Affected versions

stable <= 2.8.0; beta <= 2.9.0.beta1; tests-passed <= 2.8.0

Patched versions

stable >= 2.8.1; beta >= 2.9.0.beta2; tests-passed >= 2.9.0.beta2

Description

Impact

Users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job is triggering an infinite loop which is causing memory leaks.

Patches

This issue is patched in the latest versions of discourse.

Workarounds

Disable onebox in admin panel completely or specify allow list of domains that will be oneboxed.

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2022-23641

Weaknesses

No CWEs