CVE-2023-38684

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.0.6 of the stable branch Discourse versions prior to 3.1.0.beta7 of the beta and tests-passed branches

Description Discourse is an open source discussion platform. In multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being accepted. Without an upper bound, the software may allow arbitrary users to generate DB queries which may end up exhausting the resources on the server.

Recommendations For Discourse versions prior to 3.0.6 of the stable branch, update to version 3.0.6 or later. For Discourse versions prior to 3.1.0.beta7 of the beta and tests-passed branches, update to version 3.1.0.beta7 or later. As a temporary workaround, consider restricting access to the vulnerable controller actions until a patch is applied.