Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-41043: DoS via SvgSprite cache

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the stable branch and version 3.2.0.beta1 of the beta and tests-passed branches, a malicious admin could create extremely large icons sprites, which would then be cached in each server process. This may cause server processes to be killed and lead to downtime. The issue is patched in version 3.1.1 of the stable branch and version 3.2.0.beta1 of the beta and tests-passed branches. This is only a concern for multisite installations. No action is required when the admins are trusted.

CVE
Open in Source

Impact

A malicious agent could create a theme with a large number of theme components, each of which could contain a large icons-sprite upload and all of these would be bundled and then cached in each process. If the cache were to grow large enough, it would cause the unicorn processes to be killed and the entire cluster would be rendered inoperable.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workaround

This is only a concern for multisite installations. No action is required when the admins are trusted.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE