Multisite DoS by spamming backups
Package
Discourse
(Discourse)
Affected versions
stable <= 3.0.1; beta <= 3.1.0.beta2; tests-passed <= 3.1.0.beta2
Patched versions
stable > 3.0.1; beta > 3.1.0.beta2; tests-passed > 3.1.0.beta2
Impact
A user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a site using multisite, then it can affect the whole cluster.
Patches
This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Workarounds
None.