CVE-2024-27100 (GCVE-0-2024-27100)
Vulnerability from cvelistv5 – Published: 2024-03-15 19:21 – Updated: 2024-08-02 00:27
VLAI?
Summary
Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren't enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27100",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-18T16:16:38.459832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:46:44.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc"
},
{
"name": "https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "stable \u003c= 3.2.0"
},
{
"status": "affected",
"version": "beta \u003c= 3.3.0.beta1"
},
{
"status": "affected",
"version": "tests-passed \u003c= 3.3.0.beta1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren\u0027t enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-15T19:21:49.443Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc"
},
{
"name": "https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47"
}
],
"source": {
"advisory": "GHSA-xq4v-qg27-gxgc",
"discovery": "UNKNOWN"
},
"title": "Denial of service via Staff Actions in Discourse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27100",
"datePublished": "2024-03-15T19:21:49.443Z",
"dateReserved": "2024-02-19T14:43:05.994Z",
"dateUpdated": "2024-08-02T00:27:59.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren\u0027t enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"Discourse es una plataforma de c\\u00f3digo abierto para el debate comunitario. En las versiones afectadas, los endpoints para suspender usuarios, silenciar usuarios y exportar archivos CSV no impon\\u00edan l\\u00edmites en los tama\\u00f1os de los par\\u00e1metros que aceptaban. Esto podr\\u00eda provocar un consumo excesivo de recursos que podr\\u00eda dejar una instancia inoperable. Un sitio podr\\u00eda verse interrumpido por un moderador malintencionado en el mismo sitio o por un miembro del personal malicioso en otro sitio en el mismo cl\\u00faster multisitio. Este problema est\\u00e1 solucionado en las \\u00faltimas versiones estable, beta y de prueba de Discourse. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}]",
"id": "CVE-2024-27100",
"lastModified": "2024-11-21T09:03:51.563",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
"published": "2024-03-15T20:15:08.490",
"references": "[{\"url\": \"https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-27100\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-15T20:15:08.490\",\"lastModified\":\"2025-08-26T16:56:48.390\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren\u0027t enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Discourse es una plataforma de c\u00f3digo abierto para el debate comunitario. En las versiones afectadas, los endpoints para suspender usuarios, silenciar usuarios y exportar archivos CSV no impon\u00edan l\u00edmites en los tama\u00f1os de los par\u00e1metros que aceptaban. Esto podr\u00eda provocar un consumo excesivo de recursos que podr\u00eda dejar una instancia inoperable. Un sitio podr\u00eda verse interrumpido por un moderador malintencionado en el mismo sitio o por un miembro del personal malicioso en otro sitio en el mismo cl\u00faster multisitio. Este problema est\u00e1 solucionado en las \u00faltimas versiones estable, beta y de prueba de Discourse. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*\",\"versionEndExcluding\":\"3.2.1\",\"matchCriteriaId\":\"CA87FBDE-0BBA-49D1-85B8-1FB2C628D2C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*\",\"versionEndExcluding\":\"3.3.0\",\"matchCriteriaId\":\"4EBDB0A9-6C68-4FC5-81CD-5E1B042DD60C\"}]}]}],\"references\":[{\"url\":\"https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc\", \"name\": \"https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47\", \"name\": \"https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:27:59.432Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-27100\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-18T16:16:38.459832Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:18.439Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Denial of service via Staff Actions in Discourse\", \"source\": {\"advisory\": \"GHSA-xq4v-qg27-gxgc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"discourse\", \"product\": \"discourse\", \"versions\": [{\"status\": \"affected\", \"version\": \"stable \u003c= 3.2.0\"}, {\"status\": \"affected\", \"version\": \"beta \u003c= 3.3.0.beta1\"}, {\"status\": \"affected\", \"version\": \"tests-passed \u003c= 3.3.0.beta1\"}]}], \"references\": [{\"url\": \"https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc\", \"name\": \"https://github.com/discourse/discourse/security/advisories/GHSA-xq4v-qg27-gxgc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47\", \"name\": \"https://github.com/discourse/discourse/commit/8cade1e825e90a66f440e820992d43c6905f4b47\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren\u0027t enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-15T19:21:49.443Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-27100\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T00:27:59.432Z\", \"dateReserved\": \"2024-02-19T14:43:05.994Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-15T19:21:49.443Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…