Headline
CVE-2023-38684: Possible DDoS due to unbounded limits in various controller actions
Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, in multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being accepted. Without an upper bound, the software may allow arbitrary users to generate DB queries which may end up exhausting the resources on the server. The issue is patched in version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches. There are no known workarounds for this vulnerability.
Package
Discourse (Discourse)
Affected versions
stable <= 3.0.5; beta <= 3.1.0.beta6; tests-passed <= 3.1.0.beta6
Patched versions
stable > 3.0.5; beta > 3.1.0.beta6; tests-passed > 3.1.0.beta6
Description
Impact
In multiple controller actions, we are accepting a limit params but do not impose any upper bound on the values being accepted. Without an upper bound, we may be allowing arbitrary users from generating DB queries which may end up exhausting the resources on the server.
Patches
The issue is patched in the latest stable and tests-passed version of Discourse.
Workarounds
There are no workarounds for this vulnerability. Please upgrade as soon as possible.