CVE-2024-47773

Oct. 10, 2024, 12:56 p.m.

Tags

security-advisories@github.com
CWE-610
2024-10-08
CVE-2024-47773

CVSS Score

8.2 / 10

Product(s) Impacted

Discourse

Description

Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.

Weaknesses

CWE-610
Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

CWE ID: 610

Date

Published: Oct. 8, 2024, 6:15 p.m.

Last Modified: Oct. 10, 2024, 12:56 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

Base Score
8.2
Exploitability Score
3.9
Impact Score
4.2
Base Severity
HIGH
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

References

https://github.com/discourse/discourse/security/advisories/GHSA-58vv-9j8h-hw2v
security-advisories@github.com