CVE-2023-23616: Discourse membership requests lack character limit
First published: Fri Jan 27 2023(Updated: )
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to flood the database with a large amount of data. However it is unlikely this could be used as part of a DoS attack, as the paths reading back the reasons are only available to administrators. Starting in version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, a limit of 280 characters has been introduced for membership requests.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Discourse | <3.0.1 | |
| Discourse | =1.1.0-beta1 | |
| Discourse | =1.1.0-beta2 | |
| Discourse | =1.1.0-beta3 | |
| Discourse | =1.1.0-beta4 | |
| Discourse | =1.1.0-beta5 | |
| Discourse | =1.1.0-beta6 | |
| Discourse | =1.1.0-beta6b | |
| Discourse | =1.1.0-beta7 | |
| Discourse | =1.1.0-beta8 | |
| Discourse | =1.2.0-beta1 | |
| Discourse | =1.2.0-beta2 | |
| Discourse | =1.2.0-beta3 | |
| Discourse | =1.2.0-beta4 | |
| Discourse | =1.2.0-beta5 | |
| Discourse | =1.2.0-beta6 | |
| Discourse | =1.2.0-beta7 | |
| Discourse | =1.2.0-beta8 | |
| Discourse | =1.2.0-beta9 | |
| Discourse | =1.3.0-beta1 | |
| Discourse | =1.3.0-beta10 | |
| Discourse | =1.3.0-beta11 | |
| Discourse | =1.3.0-beta2 | |
| Discourse | =1.3.0-beta3 | |
| Discourse | =1.3.0-beta4 | |
| Discourse | =1.3.0-beta5 | |
| Discourse | =1.3.0-beta6 | |
| Discourse | =1.3.0-beta7 | |
| Discourse | =1.3.0-beta8 | |
| Discourse | =1.3.0-beta9 | |
| Discourse | =1.4.0-beta1 | |
| Discourse | =1.4.0-beta10 | |
| Discourse | =1.4.0-beta11 | |
| Discourse | =1.4.0-beta12 | |
| Discourse | =1.4.0-beta2 | |
| Discourse | =1.4.0-beta3 | |
| Discourse | =1.4.0-beta4 | |
| Discourse | =1.4.0-beta5 | |
| Discourse | =1.4.0-beta6 | |
| Discourse | =1.4.0-beta7 | |
| Discourse | =1.4.0-beta8 | |
| Discourse | =1.4.0-beta9 | |
| Discourse | =1.5.0-beta1 | |
| Discourse | =1.5.0-beta10 | |
| Discourse | =1.5.0-beta11 | |
| Discourse | =1.5.0-beta12 | |
| Discourse | =1.5.0-beta13 | |
| Discourse | =1.5.0-beta13b | |
| Discourse | =1.5.0-beta14 | |
| Discourse | =1.5.0-beta2 | |
| Discourse | =1.5.0-beta3 | |
| Discourse | =1.5.0-beta4 | |
| Discourse | =1.5.0-beta5 | |
| Discourse | =1.5.0-beta6 | |
| Discourse | =1.5.0-beta7 | |
| Discourse | =1.5.0-beta8 | |
| Discourse | =1.5.0-beta9 | |
| Discourse | =1.6.0-beta1 | |
| Discourse | =1.6.0-beta10 | |
| Discourse | =1.6.0-beta11 | |
| Discourse | =1.6.0-beta12 | |
| Discourse | =1.6.0-beta2 | |
| Discourse | =1.6.0-beta3 | |
| Discourse | =1.6.0-beta4 | |
| Discourse | =1.6.0-beta5 | |
| Discourse | =1.6.0-beta6 | |
| Discourse | =1.6.0-beta7 | |
| Discourse | =1.6.0-beta8 | |
| Discourse | =1.6.0-beta9 | |
| Discourse | =1.7.0-beta1 | |
| Discourse | =1.7.0-beta10 | |
| Discourse | =1.7.0-beta11 | |
| Discourse | =1.7.0-beta2 | |
| Discourse | =1.7.0-beta3 | |
| Discourse | =1.7.0-beta4 | |
| Discourse | =1.7.0-beta5 | |
| Discourse | =1.7.0-beta6 | |
| Discourse | =1.7.0-beta7 | |
| Discourse | =1.7.0-beta8 | |
| Discourse | =1.7.0-beta9 | |
| Discourse | =1.8.0-beta1 | |
| Discourse | =1.8.0-beta10 | |
| Discourse | =1.8.0-beta11 | |
| Discourse | =1.8.0-beta12 | |
| Discourse | =1.8.0-beta13 | |
| Discourse | =1.8.0-beta2 | |
| Discourse | =1.8.0-beta3 | |
| Discourse | =1.8.0-beta4 | |
| Discourse | =1.8.0-beta5 | |
| Discourse | =1.8.0-beta6 | |
| Discourse | =1.8.0-beta7 | |
| Discourse | =1.8.0-beta8 | |
| Discourse | =1.8.0-beta9 | |
| Discourse | =1.9.0-beta1 | |
| Discourse | =1.9.0-beta10 | |
| Discourse | =1.9.0-beta11 | |
| Discourse | =1.9.0-beta12 | |
| Discourse | =1.9.0-beta13 | |
| Discourse | =1.9.0-beta14 | |
| Discourse | =1.9.0-beta15 | |
| Discourse | =1.9.0-beta16 | |
| Discourse | =1.9.0-beta17 | |
| Discourse | =1.9.0-beta2 | |
| Discourse | =1.9.0-beta3 | |
| Discourse | =1.9.0-beta4 | |
| Discourse | =1.9.0-beta5 | |
| Discourse | =1.9.0-beta6 | |
| Discourse | =1.9.0-beta7 | |
| Discourse | =1.9.0-beta8 | |
| Discourse | =1.9.0-beta9 | |
| Discourse | =2.0.0-beta1 | |
| Discourse | =2.0.0-beta10 | |
| Discourse | =2.0.0-beta2 | |
| Discourse | =2.0.0-beta3 | |
| Discourse | =2.0.0-beta4 | |
| Discourse | =2.0.0-beta5 | |
| Discourse | =2.0.0-beta6 | |
| Discourse | =2.0.0-beta7 | |
| Discourse | =2.0.0-beta8 | |
| Discourse | =2.0.0-beta9 | |
| Discourse | =2.1.0-beta1 | |
| Discourse | =2.1.0-beta2 | |
| Discourse | =2.1.0-beta3 | |
| Discourse | =2.1.0-beta4 | |
| Discourse | =2.1.0-beta5 | |
| Discourse | =2.1.0-beta6 | |
| Discourse | =2.2.0-beta1 | |
| Discourse | =2.2.0-beta10 | |
| Discourse | =2.2.0-beta2 | |
| Discourse | =2.2.0-beta3 | |
| Discourse | =2.2.0-beta4 | |
| Discourse | =2.2.0-beta5 | |
| Discourse | =2.2.0-beta6 | |
| Discourse | =2.2.0-beta7 | |
| Discourse | =2.2.0-beta8 | |
| Discourse | =2.2.0-beta9 | |
| Discourse | =2.3.0-beta1 | |
| Discourse | =2.3.0-beta10 | |
| Discourse | =2.3.0-beta11 | |
| Discourse | =2.3.0-beta2 | |
| Discourse | =2.3.0-beta3 | |
| Discourse | =2.3.0-beta4 | |
| Discourse | =2.3.0-beta5 | |
| Discourse | =2.3.0-beta6 | |
| Discourse | =2.3.0-beta7 | |
| Discourse | =2.3.0-beta8 | |
| Discourse | =2.3.0-beta9 | |
| Discourse | =2.4.0-beta1 | |
| Discourse | =2.4.0-beta10 | |
| Discourse | =2.4.0-beta11 | |
| Discourse | =2.4.0-beta2 | |
| Discourse | =2.4.0-beta3 | |
| Discourse | =2.4.0-beta4 | |
| Discourse | =2.4.0-beta5 | |
| Discourse | =2.4.0-beta6 | |
| Discourse | =2.4.0-beta7 | |
| Discourse | =2.4.0-beta8 | |
| Discourse | =2.4.0-beta9 | |
| Discourse | =2.5.0-beta1 | |
| Discourse | =2.5.0-beta2 | |
| Discourse | =2.5.0-beta3 | |
| Discourse | =2.5.0-beta4 | |
| Discourse | =2.5.0-beta5 | |
| Discourse | =2.5.0-beta6 | |
| Discourse | =2.5.0-beta7 | |
| Discourse | =2.6.0-beta1 | |
| Discourse | =2.6.0-beta2 | |
| Discourse | =2.6.0-beta3 | |
| Discourse | =2.6.0-beta4 | |
| Discourse | =2.6.0-beta5 | |
| Discourse | =2.6.0-beta6 | |
| Discourse | =2.7.0-beta1 | |
| Discourse | =2.7.0-beta2 | |
| Discourse | =2.7.0-beta3 | |
| Discourse | =2.7.0-beta4 | |
| Discourse | =2.7.0-beta5 | |
| Discourse | =2.7.0-beta6 | |
| Discourse | =2.7.0-beta7 | |
| Discourse | =2.7.0-beta8 | |
| Discourse | =2.7.0-beta9 | |
| Discourse | =2.8.0-beta1 | |
| Discourse | =2.8.0-beta10 | |
| Discourse | =2.8.0-beta11 | |
| Discourse | =2.8.0-beta2 | |
| Discourse | =2.8.0-beta3 | |
| Discourse | =2.8.0-beta4 | |
| Discourse | =2.8.0-beta5 | |
| Discourse | =2.8.0-beta6 | |
| Discourse | =2.8.0-beta7 | |
| Discourse | =2.8.0-beta8 | |
| Discourse | =2.8.0-beta9 | |
| Discourse | =2.9.0-beta1 | |
| Discourse | =2.9.0-beta10 | |
| Discourse | =2.9.0-beta11 | |
| Discourse | =2.9.0-beta12 | |
| Discourse | =2.9.0-beta13 | |
| Discourse | =2.9.0-beta14 | |
| Discourse | =2.9.0-beta2 | |
| Discourse | =2.9.0-beta3 | |
| Discourse | =2.9.0-beta4 | |
| Discourse | =2.9.0-beta5 | |
| Discourse | =2.9.0-beta6 | |
| Discourse | =2.9.0-beta7 | |
| Discourse | =2.9.0-beta8 | |
| Discourse | =2.9.0-beta9 | |
| Discourse | =3.0.0-beta15 | |
| Discourse | =3.0.0-beta16 | |
| Discourse | =3.1.0-beta1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-23616?
The severity of CVE-2023-23616 is currently classified as moderate.
How do I fix CVE-2023-23616?
To fix CVE-2023-23616, update your Discourse instance to version 3.0.1 or later on the stable branch, or 3.1.0.beta2 or later on the beta and tests-passed branches.
What vulnerabilities are associated with CVE-2023-23616?
CVE-2023-23616 relates to a lack of character limits on membership request reasons, which can lead to potential abuse.
Are all versions of Discourse affected by CVE-2023-23616?
Yes, all versions prior to 3.0.1 on the stable branch and 3.1.0.beta2 on the beta and tests-passed branches are affected.
What steps should I take if I can't update immediately for CVE-2023-23616?
If you cannot update immediately, consider implementing a character limit manually in the membership request section as a temporary mitigation.
- agent/references
- agent/type
- agent/weakness
- agent/remedy
- agent/author
- agent/description
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/last-modified-date
- agent/source
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/discourse
- canonical/discourse
- version/discourse/1.1.0-beta1
- version/discourse/1.1.0-beta2
- version/discourse/1.1.0-beta3
- version/discourse/1.1.0-beta4
- version/discourse/1.1.0-beta5
- version/discourse/1.1.0-beta6
- version/discourse/1.1.0-beta6b
- version/discourse/1.1.0-beta7
- version/discourse/1.1.0-beta8
- version/discourse/1.2.0-beta1
- version/discourse/1.2.0-beta2
- version/discourse/1.2.0-beta3
- version/discourse/1.2.0-beta4
- version/discourse/1.2.0-beta5
- version/discourse/1.2.0-beta6
- version/discourse/1.2.0-beta7
- version/discourse/1.2.0-beta8
- version/discourse/1.2.0-beta9
- version/discourse/1.3.0-beta1
- version/discourse/1.3.0-beta10
- version/discourse/1.3.0-beta11
- version/discourse/1.3.0-beta2
- version/discourse/1.3.0-beta3
- version/discourse/1.3.0-beta4
- version/discourse/1.3.0-beta5
- version/discourse/1.3.0-beta6
- version/discourse/1.3.0-beta7
- version/discourse/1.3.0-beta8
- version/discourse/1.3.0-beta9
- version/discourse/1.4.0-beta1
- version/discourse/1.4.0-beta10
- version/discourse/1.4.0-beta11
- version/discourse/1.4.0-beta12
- version/discourse/1.4.0-beta2
- version/discourse/1.4.0-beta3
- version/discourse/1.4.0-beta4
- version/discourse/1.4.0-beta5
- version/discourse/1.4.0-beta6
- version/discourse/1.4.0-beta7
- version/discourse/1.4.0-beta8
- version/discourse/1.4.0-beta9
- version/discourse/1.5.0-beta1
- version/discourse/1.5.0-beta10
- version/discourse/1.5.0-beta11
- version/discourse/1.5.0-beta12
- version/discourse/1.5.0-beta13
- version/discourse/1.5.0-beta13b
- version/discourse/1.5.0-beta14
- version/discourse/1.5.0-beta2
- version/discourse/1.5.0-beta3
- version/discourse/1.5.0-beta4
- version/discourse/1.5.0-beta5
- version/discourse/1.5.0-beta6
- version/discourse/1.5.0-beta7
- version/discourse/1.5.0-beta8
- version/discourse/1.5.0-beta9
- version/discourse/1.6.0-beta1
- version/discourse/1.6.0-beta10
- version/discourse/1.6.0-beta11
- version/discourse/1.6.0-beta12
- version/discourse/1.6.0-beta2
- version/discourse/1.6.0-beta3
- version/discourse/1.6.0-beta4
- version/discourse/1.6.0-beta5
- version/discourse/1.6.0-beta6
- version/discourse/1.6.0-beta7
- version/discourse/1.6.0-beta8
- version/discourse/1.6.0-beta9
- version/discourse/1.7.0-beta1
- version/discourse/1.7.0-beta10
- version/discourse/1.7.0-beta11
- version/discourse/1.7.0-beta2
- version/discourse/1.7.0-beta3
- version/discourse/1.7.0-beta4
- version/discourse/1.7.0-beta5
- version/discourse/1.7.0-beta6
- version/discourse/1.7.0-beta7
- version/discourse/1.7.0-beta8
- version/discourse/1.7.0-beta9
- version/discourse/1.8.0-beta1
- version/discourse/1.8.0-beta10
- version/discourse/1.8.0-beta11
- version/discourse/1.8.0-beta12
- version/discourse/1.8.0-beta13
- version/discourse/1.8.0-beta2
- version/discourse/1.8.0-beta3
- version/discourse/1.8.0-beta4
- version/discourse/1.8.0-beta5
- version/discourse/1.8.0-beta6
- version/discourse/1.8.0-beta7
- version/discourse/1.8.0-beta8
- version/discourse/1.8.0-beta9
- version/discourse/1.9.0-beta1
- version/discourse/1.9.0-beta10
- version/discourse/1.9.0-beta11
- version/discourse/1.9.0-beta12
- version/discourse/1.9.0-beta13
- version/discourse/1.9.0-beta14
- version/discourse/1.9.0-beta15
- version/discourse/1.9.0-beta16
- version/discourse/1.9.0-beta17
- version/discourse/1.9.0-beta2
- version/discourse/1.9.0-beta3
- version/discourse/1.9.0-beta4
- version/discourse/1.9.0-beta5
- version/discourse/1.9.0-beta6
- version/discourse/1.9.0-beta7
- version/discourse/1.9.0-beta8
- version/discourse/1.9.0-beta9
- version/discourse/2.0.0-beta1
- version/discourse/2.0.0-beta10
- version/discourse/2.0.0-beta2
- version/discourse/2.0.0-beta3
- version/discourse/2.0.0-beta4
- version/discourse/2.0.0-beta5
- version/discourse/2.0.0-beta6
- version/discourse/2.0.0-beta7
- version/discourse/2.0.0-beta8
- version/discourse/2.0.0-beta9
- version/discourse/2.1.0-beta1
- version/discourse/2.1.0-beta2
- version/discourse/2.1.0-beta3
- version/discourse/2.1.0-beta4
- version/discourse/2.1.0-beta5
- version/discourse/2.1.0-beta6
- version/discourse/2.2.0-beta1
- version/discourse/2.2.0-beta10
- version/discourse/2.2.0-beta2
- version/discourse/2.2.0-beta3
- version/discourse/2.2.0-beta4
- version/discourse/2.2.0-beta5
- version/discourse/2.2.0-beta6
- version/discourse/2.2.0-beta7
- version/discourse/2.2.0-beta8
- version/discourse/2.2.0-beta9
- version/discourse/2.3.0-beta1
- version/discourse/2.3.0-beta10
- version/discourse/2.3.0-beta11
- version/discourse/2.3.0-beta2
- version/discourse/2.3.0-beta3
- version/discourse/2.3.0-beta4
- version/discourse/2.3.0-beta5
- version/discourse/2.3.0-beta6
- version/discourse/2.3.0-beta7
- version/discourse/2.3.0-beta8
- version/discourse/2.3.0-beta9
- version/discourse/2.4.0-beta1
- version/discourse/2.4.0-beta10
- version/discourse/2.4.0-beta11
- version/discourse/2.4.0-beta2
- version/discourse/2.4.0-beta3
- version/discourse/2.4.0-beta4
- version/discourse/2.4.0-beta5
- version/discourse/2.4.0-beta6
- version/discourse/2.4.0-beta7
- version/discourse/2.4.0-beta8
- version/discourse/2.4.0-beta9
- version/discourse/2.5.0-beta1
- version/discourse/2.5.0-beta2
- version/discourse/2.5.0-beta3
- version/discourse/2.5.0-beta4
- version/discourse/2.5.0-beta5
- version/discourse/2.5.0-beta6
- version/discourse/2.5.0-beta7
- version/discourse/2.6.0-beta1
- version/discourse/2.6.0-beta2
- version/discourse/2.6.0-beta3
- version/discourse/2.6.0-beta4
- version/discourse/2.6.0-beta5
- version/discourse/2.6.0-beta6
- version/discourse/2.7.0-beta1
- version/discourse/2.7.0-beta2
- version/discourse/2.7.0-beta3
- version/discourse/2.7.0-beta4
- version/discourse/2.7.0-beta5
- version/discourse/2.7.0-beta6
- version/discourse/2.7.0-beta7
- version/discourse/2.7.0-beta8
- version/discourse/2.7.0-beta9
- version/discourse/2.8.0-beta1
- version/discourse/2.8.0-beta10
- version/discourse/2.8.0-beta11
- version/discourse/2.8.0-beta2
- version/discourse/2.8.0-beta3
- version/discourse/2.8.0-beta4
- version/discourse/2.8.0-beta5
- version/discourse/2.8.0-beta6
- version/discourse/2.8.0-beta7
- version/discourse/2.8.0-beta8
- version/discourse/2.8.0-beta9
- version/discourse/2.9.0-beta1
- version/discourse/2.9.0-beta10
- version/discourse/2.9.0-beta11
- version/discourse/2.9.0-beta12
- version/discourse/2.9.0-beta13
- version/discourse/2.9.0-beta14
- version/discourse/2.9.0-beta2
- version/discourse/2.9.0-beta3
- version/discourse/2.9.0-beta4
- version/discourse/2.9.0-beta5
- version/discourse/2.9.0-beta6
- version/discourse/2.9.0-beta7
- version/discourse/2.9.0-beta8
- version/discourse/2.9.0-beta9
- version/discourse/3.0.0-beta15
- version/discourse/3.0.0-beta16
- version/discourse/3.1.0-beta1