CVE-2023-23616

Severity CVSS v4.0:
Pending analysis
Type:
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Publication date:
28/01/2023
Last modified:
08/02/2023

Description

Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to flood the database with a large amount of data. However it is unlikely this could be used as part of a DoS attack, as the paths reading back the reasons are only available to administrators. Starting in version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, a limit of 280 characters has been introduced for membership requests.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:* 3.0.1 (excluding)
cpe:2.3:a:discourse:discourse:1.1.0:beta1:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta2:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta3:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta4:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta5:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta6:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta6b:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta7:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta8:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.2.0:beta1:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.2.0:beta2:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.2.0:beta3:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.2.0:beta4:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.2.0:beta5:*:*:beta:*:*:*