Skip to content

SSRF protection missing for some FastImage requests

Moderate
jomaxro published GHSA-9897-x229-55gh Mar 17, 2023

Package

Discourse (Discourse)

Affected versions

stable <= 3.1.0; beta <= 3.1.0.beta2; tests-passed <= 3.1.0.beta2

Patched versions

stable >= 3.1.0; beta >= 3.1.0.beta3; tests-passed >= 3.1.0.beta3

Description

Impact

Some user provided URLs were being passed to FastImage without SSRF protection.

Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses.

This affects any site running the tests-passed or beta branches <= 3.1.0.beta2.

Patches

The issue is patched in the latest beta and tests-passed version of Discourse.

Workarounds

None.

Severity

Moderate
5.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

CVE ID

CVE-2023-28112

Weaknesses

No CWEs