BIT-discourse-2022-23641

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2022-23641.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-discourse-2022-23641

Aliases

CVE-2022-23641
GHSA-22xw-f62v-cfxv

Published

2024-03-06T11:06:58.961Z

Modified

2025-10-14T19:27:37.094982Z

Summary

Denial of Service in Discourse

Details

Discourse is an open source discussion platform. In versions prior to 2.8.1 in the stable branch, 2.9.0.beta2 in the beta branch, and 2.9.0.beta2 in the tests-passed branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an infinite loop, which cause memory leaks. This issue is patched in version 2.8.1 of the stable branch, 2.9.0.beta2 of the beta branch, and 2.9.0.beta2 of the tests-passed branch. As a workaround, disable onebox in admin panel completely or specify allow list of domains that will be oneboxed.

Database specific

{
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / discourse

Package

Name: discourse
Purl: pkg:bitnami/discourse

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.8.1