PT-2022-24835 · Discourse · Discourse

Gregxsunday

Published

2022-11-02

Updated

2024-03-06

CVE-2022-39241

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions Discourse versions prior to the latest stable, beta, and test-passed versions

Description A malicious admin could exploit this issue to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet.

Recommendations For all versions prior to the latest stable, beta, and test-passed versions, update to the latest version to resolve the issue. As a temporary workaround, self-hosters can use the DISCOURSE BLOCKED IP BLOCKS env var to stop webhooks from accessing private IPs.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

BIT-DISCOURSE-2022-39241

CVE-2022-39241

GHSA-RCC5-28R3-23RR

Affected Products

Discourse

PT-2022-24835 · Discourse · Discourse

CVE-2022-39241

Weakness Enumeration

Related Identifiers

Affected Products

References · 6