CVE-2023-38498: Discourse vulnerable to DoS via defer queue
First published: Fri Jul 28 2023(Updated: )
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can prevent the defer queue from proceeding promptly on sites hosted in the same multisite installation. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability. Users of multisite configurations should upgrade.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Discourse | <3.0.6 | |
| Discourse | =1.1.0-beta1 | |
| Discourse | =1.1.0-beta2 | |
| Discourse | =1.1.0-beta3 | |
| Discourse | =1.1.0-beta4 | |
| Discourse | =1.1.0-beta5 | |
| Discourse | =1.1.0-beta6 | |
| Discourse | =1.1.0-beta6b | |
| Discourse | =1.1.0-beta7 | |
| Discourse | =1.1.0-beta8 | |
| Discourse | =1.2.0-beta1 | |
| Discourse | =1.2.0-beta2 | |
| Discourse | =1.2.0-beta3 | |
| Discourse | =1.2.0-beta4 | |
| Discourse | =1.2.0-beta5 | |
| Discourse | =1.2.0-beta6 | |
| Discourse | =1.2.0-beta7 | |
| Discourse | =1.2.0-beta8 | |
| Discourse | =1.2.0-beta9 | |
| Discourse | =1.3.0-beta1 | |
| Discourse | =1.3.0-beta10 | |
| Discourse | =1.3.0-beta11 | |
| Discourse | =1.3.0-beta2 | |
| Discourse | =1.3.0-beta3 | |
| Discourse | =1.3.0-beta4 | |
| Discourse | =1.3.0-beta5 | |
| Discourse | =1.3.0-beta6 | |
| Discourse | =1.3.0-beta7 | |
| Discourse | =1.3.0-beta8 | |
| Discourse | =1.3.0-beta9 | |
| Discourse | =1.4.0-beta1 | |
| Discourse | =1.4.0-beta10 | |
| Discourse | =1.4.0-beta11 | |
| Discourse | =1.4.0-beta12 | |
| Discourse | =1.4.0-beta2 | |
| Discourse | =1.4.0-beta3 | |
| Discourse | =1.4.0-beta4 | |
| Discourse | =1.4.0-beta5 | |
| Discourse | =1.4.0-beta6 | |
| Discourse | =1.4.0-beta7 | |
| Discourse | =1.4.0-beta8 | |
| Discourse | =1.4.0-beta9 | |
| Discourse | =1.5.0-beta1 | |
| Discourse | =1.5.0-beta10 | |
| Discourse | =1.5.0-beta11 | |
| Discourse | =1.5.0-beta12 | |
| Discourse | =1.5.0-beta13 | |
| Discourse | =1.5.0-beta13b | |
| Discourse | =1.5.0-beta14 | |
| Discourse | =1.5.0-beta2 | |
| Discourse | =1.5.0-beta3 | |
| Discourse | =1.5.0-beta4 | |
| Discourse | =1.5.0-beta5 | |
| Discourse | =1.5.0-beta6 | |
| Discourse | =1.5.0-beta7 | |
| Discourse | =1.5.0-beta8 | |
| Discourse | =1.5.0-beta9 | |
| Discourse | =1.6.0-beta1 | |
| Discourse | =1.6.0-beta10 | |
| Discourse | =1.6.0-beta11 | |
| Discourse | =1.6.0-beta12 | |
| Discourse | =1.6.0-beta2 | |
| Discourse | =1.6.0-beta3 | |
| Discourse | =1.6.0-beta4 | |
| Discourse | =1.6.0-beta5 | |
| Discourse | =1.6.0-beta6 | |
| Discourse | =1.6.0-beta7 | |
| Discourse | =1.6.0-beta8 | |
| Discourse | =1.6.0-beta9 | |
| Discourse | =1.7.0-beta1 | |
| Discourse | =1.7.0-beta10 | |
| Discourse | =1.7.0-beta11 | |
| Discourse | =1.7.0-beta2 | |
| Discourse | =1.7.0-beta3 | |
| Discourse | =1.7.0-beta4 | |
| Discourse | =1.7.0-beta5 | |
| Discourse | =1.7.0-beta6 | |
| Discourse | =1.7.0-beta7 | |
| Discourse | =1.7.0-beta8 | |
| Discourse | =1.7.0-beta9 | |
| Discourse | =1.8.0-beta1 | |
| Discourse | =1.8.0-beta10 | |
| Discourse | =1.8.0-beta11 | |
| Discourse | =1.8.0-beta12 | |
| Discourse | =1.8.0-beta13 | |
| Discourse | =1.8.0-beta2 | |
| Discourse | =1.8.0-beta3 | |
| Discourse | =1.8.0-beta4 | |
| Discourse | =1.8.0-beta5 | |
| Discourse | =1.8.0-beta6 | |
| Discourse | =1.8.0-beta7 | |
| Discourse | =1.8.0-beta8 | |
| Discourse | =1.8.0-beta9 | |
| Discourse | =1.9.0-beta1 | |
| Discourse | =1.9.0-beta10 | |
| Discourse | =1.9.0-beta11 | |
| Discourse | =1.9.0-beta12 | |
| Discourse | =1.9.0-beta13 | |
| Discourse | =1.9.0-beta14 | |
| Discourse | =1.9.0-beta15 | |
| Discourse | =1.9.0-beta16 | |
| Discourse | =1.9.0-beta17 | |
| Discourse | =1.9.0-beta2 | |
| Discourse | =1.9.0-beta3 | |
| Discourse | =1.9.0-beta4 | |
| Discourse | =1.9.0-beta5 | |
| Discourse | =1.9.0-beta6 | |
| Discourse | =1.9.0-beta7 | |
| Discourse | =1.9.0-beta8 | |
| Discourse | =1.9.0-beta9 | |
| Discourse | =2.0.0-beta1 | |
| Discourse | =2.0.0-beta10 | |
| Discourse | =2.0.0-beta2 | |
| Discourse | =2.0.0-beta3 | |
| Discourse | =2.0.0-beta4 | |
| Discourse | =2.0.0-beta5 | |
| Discourse | =2.0.0-beta6 | |
| Discourse | =2.0.0-beta7 | |
| Discourse | =2.0.0-beta8 | |
| Discourse | =2.0.0-beta9 | |
| Discourse | =2.1.0-beta1 | |
| Discourse | =2.1.0-beta2 | |
| Discourse | =2.1.0-beta3 | |
| Discourse | =2.1.0-beta4 | |
| Discourse | =2.1.0-beta5 | |
| Discourse | =2.1.0-beta6 | |
| Discourse | =2.2.0-beta1 | |
| Discourse | =2.2.0-beta10 | |
| Discourse | =2.2.0-beta2 | |
| Discourse | =2.2.0-beta3 | |
| Discourse | =2.2.0-beta4 | |
| Discourse | =2.2.0-beta5 | |
| Discourse | =2.2.0-beta6 | |
| Discourse | =2.2.0-beta7 | |
| Discourse | =2.2.0-beta8 | |
| Discourse | =2.2.0-beta9 | |
| Discourse | =2.3.0-beta1 | |
| Discourse | =2.3.0-beta10 | |
| Discourse | =2.3.0-beta11 | |
| Discourse | =2.3.0-beta2 | |
| Discourse | =2.3.0-beta3 | |
| Discourse | =2.3.0-beta4 | |
| Discourse | =2.3.0-beta5 | |
| Discourse | =2.3.0-beta6 | |
| Discourse | =2.3.0-beta7 | |
| Discourse | =2.3.0-beta8 | |
| Discourse | =2.3.0-beta9 | |
| Discourse | =2.4.0-beta1 | |
| Discourse | =2.4.0-beta10 | |
| Discourse | =2.4.0-beta11 | |
| Discourse | =2.4.0-beta2 | |
| Discourse | =2.4.0-beta3 | |
| Discourse | =2.4.0-beta4 | |
| Discourse | =2.4.0-beta5 | |
| Discourse | =2.4.0-beta6 | |
| Discourse | =2.4.0-beta7 | |
| Discourse | =2.4.0-beta8 | |
| Discourse | =2.4.0-beta9 | |
| Discourse | =2.5.0-beta1 | |
| Discourse | =2.5.0-beta2 | |
| Discourse | =2.5.0-beta3 | |
| Discourse | =2.5.0-beta4 | |
| Discourse | =2.5.0-beta5 | |
| Discourse | =2.5.0-beta6 | |
| Discourse | =2.5.0-beta7 | |
| Discourse | =2.6.0-beta1 | |
| Discourse | =2.6.0-beta2 | |
| Discourse | =2.6.0-beta3 | |
| Discourse | =2.6.0-beta4 | |
| Discourse | =2.6.0-beta5 | |
| Discourse | =2.6.0-beta6 | |
| Discourse | =2.7.0-beta1 | |
| Discourse | =2.7.0-beta2 | |
| Discourse | =2.7.0-beta3 | |
| Discourse | =2.7.0-beta4 | |
| Discourse | =2.7.0-beta5 | |
| Discourse | =2.7.0-beta6 | |
| Discourse | =2.7.0-beta7 | |
| Discourse | =2.7.0-beta8 | |
| Discourse | =2.7.0-beta9 | |
| Discourse | =2.8.0-beta1 | |
| Discourse | =2.8.0-beta10 | |
| Discourse | =2.8.0-beta11 | |
| Discourse | =2.8.0-beta2 | |
| Discourse | =2.8.0-beta3 | |
| Discourse | =2.8.0-beta4 | |
| Discourse | =2.8.0-beta5 | |
| Discourse | =2.8.0-beta6 | |
| Discourse | =2.8.0-beta7 | |
| Discourse | =2.8.0-beta8 | |
| Discourse | =2.8.0-beta9 | |
| Discourse | =2.9.0-beta1 | |
| Discourse | =2.9.0-beta10 | |
| Discourse | =2.9.0-beta11 | |
| Discourse | =2.9.0-beta12 | |
| Discourse | =2.9.0-beta13 | |
| Discourse | =2.9.0-beta14 | |
| Discourse | =2.9.0-beta2 | |
| Discourse | =2.9.0-beta3 | |
| Discourse | =2.9.0-beta4 | |
| Discourse | =2.9.0-beta5 | |
| Discourse | =2.9.0-beta6 | |
| Discourse | =2.9.0-beta7 | |
| Discourse | =2.9.0-beta8 | |
| Discourse | =2.9.0-beta9 | |
| Discourse | =3.0.0-beta15 | |
| Discourse | =3.0.0-beta16 | |
| Discourse | =3.1.0-beta1 | |
| Discourse | =3.1.0-beta2 | |
| Discourse | =3.1.0-beta3 | |
| Discourse | =3.1.0-beta5 | |
| Discourse | =3.1.0-beta6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-38498?
The severity of CVE-2023-38498 is classified as moderate due to its potential impact on multisite installations of Discourse.
How do I fix CVE-2023-38498?
To fix CVE-2023-38498, upgrade Discourse to version 3.0.6 or higher on the stable branch or 3.1.0.beta7 or higher on the beta branches.
What versions are affected by CVE-2023-38498?
CVE-2023-38498 affects Discourse versions prior to 3.0.6 and 3.1.0.beta7.
What kind of exploitation does CVE-2023-38498 allow?
CVE-2023-38498 allows a malicious user to impede the defer queue from progressing on sites within the same multisite setup.
Is CVE-2023-38498 an active vulnerability?
As of now, CVE-2023-38498 is recognized but no active exploitation has been reported.
- agent/references
- agent/weakness
- agent/author
- agent/type
- agent/softwarecombine
- collector/epss-latest
- source/FIRST
- agent/remedy
- agent/description
- agent/epss
- agent/severity
- agent/title
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-latest
- vendor/discourse
- canonical/discourse
- version/discourse/1.1.0-beta1
- version/discourse/1.1.0-beta2
- version/discourse/1.1.0-beta3
- version/discourse/1.1.0-beta4
- version/discourse/1.1.0-beta5
- version/discourse/1.1.0-beta6
- version/discourse/1.1.0-beta6b
- version/discourse/1.1.0-beta7
- version/discourse/1.1.0-beta8
- version/discourse/1.2.0-beta1
- version/discourse/1.2.0-beta2
- version/discourse/1.2.0-beta3
- version/discourse/1.2.0-beta4
- version/discourse/1.2.0-beta5
- version/discourse/1.2.0-beta6
- version/discourse/1.2.0-beta7
- version/discourse/1.2.0-beta8
- version/discourse/1.2.0-beta9
- version/discourse/1.3.0-beta1
- version/discourse/1.3.0-beta10
- version/discourse/1.3.0-beta11
- version/discourse/1.3.0-beta2
- version/discourse/1.3.0-beta3
- version/discourse/1.3.0-beta4
- version/discourse/1.3.0-beta5
- version/discourse/1.3.0-beta6
- version/discourse/1.3.0-beta7
- version/discourse/1.3.0-beta8
- version/discourse/1.3.0-beta9
- version/discourse/1.4.0-beta1
- version/discourse/1.4.0-beta10
- version/discourse/1.4.0-beta11
- version/discourse/1.4.0-beta12
- version/discourse/1.4.0-beta2
- version/discourse/1.4.0-beta3
- version/discourse/1.4.0-beta4
- version/discourse/1.4.0-beta5
- version/discourse/1.4.0-beta6
- version/discourse/1.4.0-beta7
- version/discourse/1.4.0-beta8
- version/discourse/1.4.0-beta9
- version/discourse/1.5.0-beta1
- version/discourse/1.5.0-beta10
- version/discourse/1.5.0-beta11
- version/discourse/1.5.0-beta12
- version/discourse/1.5.0-beta13
- version/discourse/1.5.0-beta13b
- version/discourse/1.5.0-beta14
- version/discourse/1.5.0-beta2
- version/discourse/1.5.0-beta3
- version/discourse/1.5.0-beta4
- version/discourse/1.5.0-beta5
- version/discourse/1.5.0-beta6
- version/discourse/1.5.0-beta7
- version/discourse/1.5.0-beta8
- version/discourse/1.5.0-beta9
- version/discourse/1.6.0-beta1
- version/discourse/1.6.0-beta10
- version/discourse/1.6.0-beta11
- version/discourse/1.6.0-beta12
- version/discourse/1.6.0-beta2
- version/discourse/1.6.0-beta3
- version/discourse/1.6.0-beta4
- version/discourse/1.6.0-beta5
- version/discourse/1.6.0-beta6
- version/discourse/1.6.0-beta7
- version/discourse/1.6.0-beta8
- version/discourse/1.6.0-beta9
- version/discourse/1.7.0-beta1
- version/discourse/1.7.0-beta10
- version/discourse/1.7.0-beta11
- version/discourse/1.7.0-beta2
- version/discourse/1.7.0-beta3
- version/discourse/1.7.0-beta4
- version/discourse/1.7.0-beta5
- version/discourse/1.7.0-beta6
- version/discourse/1.7.0-beta7
- version/discourse/1.7.0-beta8
- version/discourse/1.7.0-beta9
- version/discourse/1.8.0-beta1
- version/discourse/1.8.0-beta10
- version/discourse/1.8.0-beta11
- version/discourse/1.8.0-beta12
- version/discourse/1.8.0-beta13
- version/discourse/1.8.0-beta2
- version/discourse/1.8.0-beta3
- version/discourse/1.8.0-beta4
- version/discourse/1.8.0-beta5
- version/discourse/1.8.0-beta6
- version/discourse/1.8.0-beta7
- version/discourse/1.8.0-beta8
- version/discourse/1.8.0-beta9
- version/discourse/1.9.0-beta1
- version/discourse/1.9.0-beta10
- version/discourse/1.9.0-beta11
- version/discourse/1.9.0-beta12
- version/discourse/1.9.0-beta13
- version/discourse/1.9.0-beta14
- version/discourse/1.9.0-beta15
- version/discourse/1.9.0-beta16
- version/discourse/1.9.0-beta17
- version/discourse/1.9.0-beta2
- version/discourse/1.9.0-beta3
- version/discourse/1.9.0-beta4
- version/discourse/1.9.0-beta5
- version/discourse/1.9.0-beta6
- version/discourse/1.9.0-beta7
- version/discourse/1.9.0-beta8
- version/discourse/1.9.0-beta9
- version/discourse/2.0.0-beta1
- version/discourse/2.0.0-beta10
- version/discourse/2.0.0-beta2
- version/discourse/2.0.0-beta3
- version/discourse/2.0.0-beta4
- version/discourse/2.0.0-beta5
- version/discourse/2.0.0-beta6
- version/discourse/2.0.0-beta7
- version/discourse/2.0.0-beta8
- version/discourse/2.0.0-beta9
- version/discourse/2.1.0-beta1
- version/discourse/2.1.0-beta2
- version/discourse/2.1.0-beta3
- version/discourse/2.1.0-beta4
- version/discourse/2.1.0-beta5
- version/discourse/2.1.0-beta6
- version/discourse/2.2.0-beta1
- version/discourse/2.2.0-beta10
- version/discourse/2.2.0-beta2
- version/discourse/2.2.0-beta3
- version/discourse/2.2.0-beta4
- version/discourse/2.2.0-beta5
- version/discourse/2.2.0-beta6
- version/discourse/2.2.0-beta7
- version/discourse/2.2.0-beta8
- version/discourse/2.2.0-beta9
- version/discourse/2.3.0-beta1
- version/discourse/2.3.0-beta10
- version/discourse/2.3.0-beta11
- version/discourse/2.3.0-beta2
- version/discourse/2.3.0-beta3
- version/discourse/2.3.0-beta4
- version/discourse/2.3.0-beta5
- version/discourse/2.3.0-beta6
- version/discourse/2.3.0-beta7
- version/discourse/2.3.0-beta8
- version/discourse/2.3.0-beta9
- version/discourse/2.4.0-beta1
- version/discourse/2.4.0-beta10
- version/discourse/2.4.0-beta11
- version/discourse/2.4.0-beta2
- version/discourse/2.4.0-beta3
- version/discourse/2.4.0-beta4
- version/discourse/2.4.0-beta5
- version/discourse/2.4.0-beta6
- version/discourse/2.4.0-beta7
- version/discourse/2.4.0-beta8
- version/discourse/2.4.0-beta9
- version/discourse/2.5.0-beta1
- version/discourse/2.5.0-beta2
- version/discourse/2.5.0-beta3
- version/discourse/2.5.0-beta4
- version/discourse/2.5.0-beta5
- version/discourse/2.5.0-beta6
- version/discourse/2.5.0-beta7
- version/discourse/2.6.0-beta1
- version/discourse/2.6.0-beta2
- version/discourse/2.6.0-beta3
- version/discourse/2.6.0-beta4
- version/discourse/2.6.0-beta5
- version/discourse/2.6.0-beta6
- version/discourse/2.7.0-beta1
- version/discourse/2.7.0-beta2
- version/discourse/2.7.0-beta3
- version/discourse/2.7.0-beta4
- version/discourse/2.7.0-beta5
- version/discourse/2.7.0-beta6
- version/discourse/2.7.0-beta7
- version/discourse/2.7.0-beta8
- version/discourse/2.7.0-beta9
- version/discourse/2.8.0-beta1
- version/discourse/2.8.0-beta10
- version/discourse/2.8.0-beta11
- version/discourse/2.8.0-beta2
- version/discourse/2.8.0-beta3
- version/discourse/2.8.0-beta4
- version/discourse/2.8.0-beta5
- version/discourse/2.8.0-beta6
- version/discourse/2.8.0-beta7
- version/discourse/2.8.0-beta8
- version/discourse/2.8.0-beta9
- version/discourse/2.9.0-beta1
- version/discourse/2.9.0-beta10
- version/discourse/2.9.0-beta11
- version/discourse/2.9.0-beta12
- version/discourse/2.9.0-beta13
- version/discourse/2.9.0-beta14
- version/discourse/2.9.0-beta2
- version/discourse/2.9.0-beta3
- version/discourse/2.9.0-beta4
- version/discourse/2.9.0-beta5
- version/discourse/2.9.0-beta6
- version/discourse/2.9.0-beta7
- version/discourse/2.9.0-beta8
- version/discourse/2.9.0-beta9
- version/discourse/3.0.0-beta15
- version/discourse/3.0.0-beta16
- version/discourse/3.1.0-beta1
- version/discourse/3.1.0-beta2
- version/discourse/3.1.0-beta3
- version/discourse/3.1.0-beta5
- version/discourse/3.1.0-beta6