BIT-discourse-2023-28112

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2023-28112.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-discourse-2023-28112
Aliases
Published
2024-03-06T10:58:19.088Z
Modified
2025-04-03T14:40:37.652Z
Summary
[none]
Details

Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the beta and tests-passed branches, some user provided URLs were being passed to FastImage without SSRF protection. Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses. This affects any site running the tests-passed or beta branches versions 3.1.0.beta2 and prior. This issue is patched in version 3.1.0.beta3 of the beta and tests-passed branches. There are no known workarounds.

Database specific
{
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*",
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*",
        "cpe:2.3:a:discourse:discourse:3.1.0:beta1:*:*:beta:*:*:*",
        "cpe:2.3:a:discourse:discourse:3.1.0:beta2:*:*:beta:*:*:*"
    ],
    "severity": "High"
}
References

Affected packages

Bitnami / discourse

Package

Name
discourse
Purl
pkg:bitnami/discourse

Severity

  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.0
Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
3.1.0