CVE-2024-21655

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.1.4 Discourse versions prior to 3.2.0.beta4

Description Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth.

Recommendations For versions prior to 3.1.4, update to version 3.1.4 or later to resolve the issue. For versions prior to 3.2.0.beta4, update to version 3.2.0.beta4 or later to resolve the issue. As a temporary workaround, consider restricting the size of client-editable fields to prevent excessive disk space and bandwidth usage.

Exploit

Fix

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

BIT-DISCOURSE-2024-21655

CVE-2024-21655

GHSA-M5FC-94MM-38FX

Affected Products

Discourse

CVE-2024-21655

Weakness Enumeration

Related Identifiers

Affected Products

References · 8