Skip to content

DoS via drafts

Moderate
jomaxro published GHSA-7wpp-4pqg-gvp8 Sep 12, 2023

Package

Discourse (Discourse)

Affected versions

stable <= 3.1.0; beta <= 3.1.0.beta8; tests-passed <= 3.1.0.beta8

Patched versions

stable >= 3.1.1; beta >= 3.2.0.beta1; tests-passed >= 3.2.0.beta1

Description

Impact

A malicious user can create an unlimited number of drafts with very long draft keys which may end up exhausting the resources on the server.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workarounds

None.

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-38706

Weaknesses

No CWEs