CVE-2024-24827

Name of the Vulnerable Software and Affected Versions Discourse versions prior to the latest stable, beta and tests-passed version

Description The issue affects Discourse, an open source platform for community discussion, due to the lack of a rate limit on the "POST /uploads" endpoint. This makes it easier for an attacker to carry out a denial-of-service (DoS) attack on the server, as creating an upload can be a resource-intensive process. The impact varies from site to site, depending on site settings such as max image size kb, max attachment size kb, and max image megapixels, which determine the amount of resources used when creating an upload.

Recommendations For versions prior to the latest stable, beta and tests-passed version, upgrade to the latest version to resolve the issue. As a temporary workaround, consider reducing max image size kb, max attachment size kb, and max image megapixels to minimize the resources required for upload processing. Alternatively, reduce client max body size in Nginx to prevent large uploads from reaching the server.