Vulnerability Description
Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user can create an unlimited number of drafts with very long draft keys which may end up exhausting the resources on the server. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. There are no known workarounds.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 3.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse/security/advisories/GHSA-7wpp-4pqg-gvp8ExploitVendor Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-7wpp-4pqg-gvp8ExploitVendor Advisory
FAQ
What is CVE-2023-38706?
CVE-2023-38706 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious user can create an unlimit...
How severe is CVE-2023-38706?
CVE-2023-38706 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-38706?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.