CVE-2023-41043

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.1.1 of the stable branch Discourse versions prior to 3.2.0.beta1 of the beta and tests-passed branches

Description A malicious admin could create extremely large icons sprites, which would then be cached in each server process, potentially causing server processes to be killed and leading to downtime. This issue is a concern for multisite installations, but no action is required when admins are trusted.

Recommendations For versions prior to 3.1.1 of the stable branch, update to version 3.1.1 or later. For versions prior to 3.2.0.beta1 of the beta and tests-passed branches, update to version 3.2.0.beta1 or later. As a temporary workaround, consider restricting the ability of admins to create large icons sprites until a patch is applied.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

BIT-DISCOURSE-2023-41043

CVE-2023-41043

GHSA-28HH-H5XW-XGVX

Affected Products

Discourse

CVE-2023-41043

Weakness Enumeration

Related Identifiers

Affected Products

References · 6