CVE-2023-44388
Malicious requests can fill up the log files resulting in a deinal of service in Discourse
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Discourse is an open source platform for community discussion. A malicious request can cause production log files to quickly fill up and thus result in the server running out of disk space. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. It is possible to temporarily work around this problem by reducing the `client_max_body_size nginx directive`. `client_max_body_size` will limit the size of uploads that can be uploaded directly to the server.
Discourse es una plataforma de código abierto para el debate comunitario. Una solicitud maliciosa puede hacer que los archivos de registro de producción se llenen rápidamente y, por lo tanto, que el servidor se quede sin espacio en disco. Este problema se ha solucionado en las versiones 3.1.1 stable y 3.2.0.beta2 de Discourse. Es posible workaround temporalmente en este problema reduciendo "client_max_body_size nginx directive". `client_max_body_size` limitará el tamaño de las cargas que se pueden cargar directamente al servidor.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-09-28 CVE Reserved
- 2023-10-16 CVE Published
- 2024-09-16 CVE Updated
- 2024-11-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/discourse/discourse/security/advisories/GHSA-89h3-g746-xmwq | 2023-10-20 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Discourse Search vendor "Discourse" | Discourse Search vendor "Discourse" for product "Discourse" | <= 3.1.1 Search vendor "Discourse" for product "Discourse" and version " <= 3.1.1" | stable |
Affected
| ||||||
| Discourse Search vendor "Discourse" | Discourse Search vendor "Discourse" for product "Discourse" | 3.2.0 Search vendor "Discourse" for product "Discourse" and version "3.2.0" | beta1, beta |
Affected
| ||||||