Skip to content

Anonymous user cache poisoning via maliciously formed request

High
pmusaraj published GHSA-46v9-3jc4-f53w Apr 14, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.2; beta <= 2.9.0.beta3; tests-passed <= 2.9.0.beta3

Patched versions

stable >= 2.8.3; beta >= 2.9.0.beta4; tests-passed >= 2.9.0.beta4

Description

Impact

An attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial denial-of-service.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Severity

High

CVE ID

CVE-2022-24824

Weaknesses

No CWEs