Headline
CVE-2023-40588: DoS via 2FA and Security Key Names
Discourse is an open-source discussion platform. Prior to version 3.1.1 of the stable branch and version 3.2.0.beta1 of the beta and tests-passed branches, a malicious user could add a 2FA or security key with a carefully crafted name to their account and cause a denial of service for other users. The issue is patched in version 3.1.1 of the stable branch and version 3.2.0.beta1 of the beta and tests-passed branches. There are no known workarounds.
Package
Discourse (Discourse)
Affected versions
stable <= 3.1.0; beta <= 3.1.0.beta8; tests-passed <= 3.2.0.beta1-dev
Patched versions
stable >= 3.1.1; beta >= 3.2.0.beta1; tests-passed >= 3.2.0.beta2-dev
Description
Impact
A malicious user could add a 2FA or security key with a carefully crafted name to their account and cause a DoS for other users.
Patches
The issue is patched in the latest stable, beta and tests-passed version of Discourse.
Workarounds
There are no workarounds for this vulnerability. Please upgrade as soon as possible.