Headline
CVE-2021-43850: SECURITY: Disable MessageBus::Diagnostics. · discourse/discourse@7a8ec12
Discourse is an open source platform for community discussion. In affected versions admins users can trigger a Denial of Service attack via the /message-bus/_diagnostics path. The impact of this vulnerability is greater on multisite Discourse instances (where multiple forums are served from a single application server) where any admin user on any of the forums are able to visit the /message-bus/_diagnostics path. The problem has been patched. Please upgrade to 2.8.0.beta10 or 2.7.12. No workarounds for this issue exist.
Permalink
Browse files
SECURITY: Disable MessageBus::Diagnostics.
MessageBus::Diagnostics allows anyone with access to carry out certain operations that may result in a denial of service. The impact of this is greater on multisiite clusters.
- Loading branch information
1 parent 30bc65a commit 7a8ec129fb54f188b2da6588c9d24d3a36eb0d39
Showing with 0 additions and 1 deletion.
- +0 −1 config/initializers/004-message_bus.rb
@@ -120,7 +120,6 @@ def setup_message_bus_env(env)
MessageBus.long_polling_enabled = SiteSetting.enable_long_polling
MessageBus.long_polling_interval = SiteSetting.long_polling_interval
MessageBus.cache_assets = !Rails.env.development?
MessageBus.enable_diagnostics
if Rails.env == “test” || $0 =~ /rake$/
# disable keepalive in testing
0 comments on commit 7a8ec12
Please sign in to comment.