PT-2023-1610 · Discourse · Discourse
Published
2023-01-16
·
Updated
2024-03-06
·
CVE-2023-23621
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 3.0.1 on the stable branch
Discourse versions prior to 3.1.0.beta2 on the beta and tests-passed branches
Description
The issue is related to the use of a regular expression with inefficient computational complexity in the Discourse open-source discussion platform. A malicious user can cause a regular expression denial of service using a carefully crafted
user agent. This can allow a remote attacker to cause a denial of service.Recommendations
For versions prior to 3.0.1 on the stable branch, update to version 3.0.1 or later.
For versions prior to 3.1.0.beta2 on the beta and tests-passed branches, update to version 3.1.0.beta2 or later.
As a temporary workaround, consider restricting the use of the
user agent field to minimize the risk of exploitation.Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Discourse