CVE-2021-43850

Denial of Service in discourse

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Discourse is an open source platform for community discussion. In affected versions admins users can trigger a Denial of Service attack via the `/message-bus/_diagnostics` path. The impact of this vulnerability is greater on multisite Discourse instances (where multiple forums are served from a single application server) where any admin user on any of the forums are able to visit the `/message-bus/_diagnostics` path. The problem has been patched. Please upgrade to 2.8.0.beta10 or 2.7.12. No workarounds for this issue exist.

Discourse es una plataforma de código abierto para el debate comunitario. En las versiones afectadas los usuarios administradores pueden desencadenar un ataque de denegación de servicio por medio de la ruta "/message-bus/_diagnostics". El impacto de esta vulnerabilidad es mayor en las instancias multisitio de Discourse (donde son servidos múltiples foros desde un único servidor de aplicaciones) donde cualquier usuario administrador en cualquiera de los foros puede visitar la ruta "/message-bus/_diagnostics". El problema ha sido corregido. Por favor, actualice a la versión 2.8.0.beta10 o 2.7.12. No se presentan medidas de mitigación para este problema

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-16 CVE Reserved
2022-01-04 CVE Published
2023-07-28 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://github.com/discourse/discourse/security/advisories/GHSA-59jr-pj65-qmvr	2024-08-04

URL	Date	SRC
https://github.com/discourse/discourse/commit/7a8ec129fb54f188b2da6588c9d24d3a36eb0d39	2022-01-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				< 2.7.12 Search vendor "Discourse" for product "Discourse" and version " < 2.7.12"		-		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				2.8.0 Search vendor "Discourse" for product "Discourse" and version "2.8.0"		beta1		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				2.8.0 Search vendor "Discourse" for product "Discourse" and version "2.8.0"		beta2		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				2.8.0 Search vendor "Discourse" for product "Discourse" and version "2.8.0"		beta3		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				2.8.0 Search vendor "Discourse" for product "Discourse" and version "2.8.0"		beta4		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				2.8.0 Search vendor "Discourse" for product "Discourse" and version "2.8.0"		beta5		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				2.8.0 Search vendor "Discourse" for product "Discourse" and version "2.8.0"		beta6		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				2.8.0 Search vendor "Discourse" for product "Discourse" and version "2.8.0"		beta7		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				2.8.0 Search vendor "Discourse" for product "Discourse" and version "2.8.0"		beta8		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				2.8.0 Search vendor "Discourse" for product "Discourse" and version "2.8.0"		beta9		Affected