MessageBus::Diagnostics route susceptible to DoS
Package
Discourse
(Discourse)
Affected versions
stable <= 2.7.11; beta <= 2.8.0.beta9; tests-passed <= 2.8.0.beta9
Patched versions
stable > 2.7.11; beta > 2.8.0.beta9; tests-passed > 2.8.0.beta9
Impact
Admins users can trigger a Denial of Service attack via the
/message-bus/_diagnosticspath. The impact of this vulnerability is greater on multisite Discourse instances (where multiple forums are served from a single application server) where any admin user on any of the forums are able to visit the/message-bus/_diagnosticspath.Patches
The problem has been patched. Please upgrade to 2.8.0.beta10 or 2.7.12.
Workarounds
None.