Skip to content

MessageBus::Diagnostics route susceptible to DoS

High
SamSaffron published GHSA-59jr-pj65-qmvr Jan 4, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.7.11; beta <= 2.8.0.beta9; tests-passed <= 2.8.0.beta9

Patched versions

stable > 2.7.11; beta > 2.8.0.beta9; tests-passed > 2.8.0.beta9

Description

Impact

Admins users can trigger a Denial of Service attack via the /message-bus/_diagnostics path. The impact of this vulnerability is greater on multisite Discourse instances (where multiple forums are served from a single application server) where any admin user on any of the forums are able to visit the /message-bus/_diagnostics path.

Patches

The problem has been patched. Please upgrade to 2.8.0.beta10 or 2.7.12.

Workarounds

None.

Severity

High
8.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H

CVE ID

CVE-2021-43850

Weaknesses

No CWEs