A vulnerability, which was classified as problematic, was found in Discourse up to 3.0.0/3.1.0.beta1. Affected is an unknown part. The manipulation with an unknown input leads to a redos vulnerability. CWE is classifying the issue as CWE-1333. The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. This is going to have an impact on availability. CVE summarizes:

Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches, a malicious user can cause a regular expression denial of service using a carefully crafted user agent. This issue is patched in version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches. There are no known workarounds.

The weakness was shared 01/28/2023 as GHSA-mrfp-54hf-jrcv. The advisory is shared for download at github.com. This vulnerability is traded as CVE-2023-23621 since 01/16/2023. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1449.003.

Upgrading to version 3.0.1 or 3.1.0.beta2 eliminates this vulnerability. Applying the patch 6d92c3cbdac431db99a450f360a3048bb3aaf458 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Productinfo

Name

• Discourse

Version

• 3.0
• 3.1.0.beta1

License

• open-source

Support

• end of life (old version)

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion