Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-30606: Multisite DoS through unsanitized dynamic dispatch to SiteSetting

Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the SiteSetting class, notably #clear_cache! and #notify_changed!, which when done on a multisite instance, can affect the entire cluster resulting in a denial of service. Users not running in multisite environments are not affected. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE
Open in Source
#vulnerability#dos

Package

No package listed

Affected versions

stable <= 3.0.1; beta <= 3.1.0.beta2; tests-passed <= 3.1.0.beta2

Patched versions

stable > 3.0.1; beta > 3.1.0.beta2; tests-passed > 3.1.0.beta2

Description

Impact

A user logged as an administrator can call arbitrary methods on the SiteSetting class, notably #clear_cache! and #notify_changed!, which when done on a multisite, can affect the entire cluster.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workarounds

None.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE