Impact
Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses.
End-users could trigger HTTP GET requests to private IPs, but would not be able to obtain detailed information about the response.
Forum administrators could trigger HTTP GET / POST to private IPs, and view information about the response. They could also trigger a git clone to private IPs using the HTTP or SSH protocol, but would not be able to view the response unless it was a Discourse Theme repository.
The high severity of this advisory reflects the worst-case scenario where admins are untrusted, and there are sensitive services on the internal network. This may be true in some deployments (e.g. shared hosting environments). But for the majority of self-hosters following our standard install, admins are trusted and so the impact is much lower.
Patches
Latest stable, beta, and test-passed versions are now patched.
Workarounds
Apply protections at the network level.
Impact
Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses.
End-users could trigger HTTP GET requests to private IPs, but would not be able to obtain detailed information about the response.
Forum administrators could trigger HTTP GET / POST to private IPs, and view information about the response. They could also trigger a
git cloneto private IPs using the HTTP or SSH protocol, but would not be able to view the response unless it was a Discourse Theme repository.The high severity of this advisory reflects the worst-case scenario where admins are untrusted, and there are sensitive services on the internal network. This may be true in some deployments (e.g. shared hosting environments). But for the majority of self-hosters following our standard install, admins are trusted and so the impact is much lower.
Patches
Latest
stable,beta, andtest-passedversions are now patched.Workarounds
Apply protections at the network level.