← Back to CVEs
CVE-2023-30606
MEDIUM4.2
Description
Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the `SiteSetting` class, notably `#clear_cache!` and `#notify_changed!`, which when done on a multisite instance, can affect the entire cluster resulting in a denial of service. Users not running in multisite environments are not affected. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE Details
CVSS v3.1 Score4.2
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredHIGH
User InteractionREQUIRED
Published4/18/2023
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
discourse:discourse
Weaknesses (CWE)
CWE-732CWE-732
References
https://github.com/discourse/discourse/security/advisories/GHSA-jj93-w3mv-3jvv(security-advisories@github.com)
https://github.com/discourse/discourse/security/advisories/GHSA-jj93-w3mv-3jvv(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.