CVE-2024-21655

Insufficient control of custom field value sizes

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth. The issue is patched 3.1.4 and 3.2.0.beta4.

Discourse es una plataforma para la discusión comunitaria. Para los campos que el cliente puede editar, no se imponen límites de tamaño. Esto permite que un actor malintencionado haga que una instancia de Discourse utilice espacio en disco excesivo y, a menudo, también ancho de banda excesivo. El problema está parcheado en 3.1.4 y 3.2.0.beta4.

*Credits: N/A

CVSS Scores

NISTv3.1 4.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-29 CVE Reserved
2024-01-12 CVE Published
2024-01-26 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx	2024-01-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				< 3.1.4 Search vendor "Discourse" for product "Discourse" and version " < 3.1.4"		stable		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				3.2.0 Search vendor "Discourse" for product "Discourse" and version "3.2.0"		beta1, beta		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				3.2.0 Search vendor "Discourse" for product "Discourse" and version "3.2.0"		beta2, beta		Affected
Discourse Search vendor "Discourse"		Discourse Search vendor "Discourse" for product "Discourse"				3.2.0 Search vendor "Discourse" for product "Discourse" and version "3.2.0"		beta3, beta		Affected