CVE-2023-47121
Discourse SSRF vulnerability in Embedding
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, the embedding feature is susceptible to server side request forgery. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. As a workaround, disable the Embedding feature.
Discourse es una plataforma de código abierto para el debate comunitario. Antes de la versión 3.1.3 de la rama `stable` y la versión 3.2.0.beta3 de las ramas `beta` y `tests-passed`, la característica de incrustación es susceptible a Server-Side Request Forgery. El problema se solucionó en la versión 3.1.3 de la rama "stable" y en la versión 3.2.0.beta3 de las ramas "beta" y "tests-passed". Como workaround, desactive la función Embedding.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-10-30 CVE Reserved
- 2023-11-10 CVE Published
- 2024-08-02 CVE Updated
- 2024-11-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/discourse/discourse/security/advisories/GHSA-hp24-94qf-8cgc | 2023-11-17 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Discourse Search vendor "Discourse" | Discourse Search vendor "Discourse" for product "Discourse" | < 3.1.3 Search vendor "Discourse" for product "Discourse" and version " < 3.1.3" | stable |
Affected
| ||||||
Discourse Search vendor "Discourse" | Discourse Search vendor "Discourse" for product "Discourse" | < 3.2.0 Search vendor "Discourse" for product "Discourse" and version " < 3.2.0" | beta |
Affected
| ||||||
Discourse Search vendor "Discourse" | Discourse Search vendor "Discourse" for product "Discourse" | 3.2.0 Search vendor "Discourse" for product "Discourse" and version "3.2.0" | beta1, beta |
Affected
| ||||||
Discourse Search vendor "Discourse" | Discourse Search vendor "Discourse" for product "Discourse" | 3.2.0 Search vendor "Discourse" for product "Discourse" and version "3.2.0" | beta2, beta |
Affected
|