CVE-2023-38684: Discourse vulnerable to ossible DDoS due to unbounded limits in various controller actions
First published: Fri Jul 28 2023(Updated: )
Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, in multiple controller actions, Discourse accepts limit params but does not impose any upper bound on the values being accepted. Without an upper bound, the software may allow arbitrary users to generate DB queries which may end up exhausting the resources on the server. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Discourse | <3.0.6 | |
| Discourse | =1.1.0-beta1 | |
| Discourse | =1.1.0-beta2 | |
| Discourse | =1.1.0-beta3 | |
| Discourse | =1.1.0-beta4 | |
| Discourse | =1.1.0-beta5 | |
| Discourse | =1.1.0-beta6 | |
| Discourse | =1.1.0-beta6b | |
| Discourse | =1.1.0-beta7 | |
| Discourse | =1.1.0-beta8 | |
| Discourse | =1.2.0-beta1 | |
| Discourse | =1.2.0-beta2 | |
| Discourse | =1.2.0-beta3 | |
| Discourse | =1.2.0-beta4 | |
| Discourse | =1.2.0-beta5 | |
| Discourse | =1.2.0-beta6 | |
| Discourse | =1.2.0-beta7 | |
| Discourse | =1.2.0-beta8 | |
| Discourse | =1.2.0-beta9 | |
| Discourse | =1.3.0-beta1 | |
| Discourse | =1.3.0-beta10 | |
| Discourse | =1.3.0-beta11 | |
| Discourse | =1.3.0-beta2 | |
| Discourse | =1.3.0-beta3 | |
| Discourse | =1.3.0-beta4 | |
| Discourse | =1.3.0-beta5 | |
| Discourse | =1.3.0-beta6 | |
| Discourse | =1.3.0-beta7 | |
| Discourse | =1.3.0-beta8 | |
| Discourse | =1.3.0-beta9 | |
| Discourse | =1.4.0-beta1 | |
| Discourse | =1.4.0-beta10 | |
| Discourse | =1.4.0-beta11 | |
| Discourse | =1.4.0-beta12 | |
| Discourse | =1.4.0-beta2 | |
| Discourse | =1.4.0-beta3 | |
| Discourse | =1.4.0-beta4 | |
| Discourse | =1.4.0-beta5 | |
| Discourse | =1.4.0-beta6 | |
| Discourse | =1.4.0-beta7 | |
| Discourse | =1.4.0-beta8 | |
| Discourse | =1.4.0-beta9 | |
| Discourse | =1.5.0-beta1 | |
| Discourse | =1.5.0-beta10 | |
| Discourse | =1.5.0-beta11 | |
| Discourse | =1.5.0-beta12 | |
| Discourse | =1.5.0-beta13 | |
| Discourse | =1.5.0-beta13b | |
| Discourse | =1.5.0-beta14 | |
| Discourse | =1.5.0-beta2 | |
| Discourse | =1.5.0-beta3 | |
| Discourse | =1.5.0-beta4 | |
| Discourse | =1.5.0-beta5 | |
| Discourse | =1.5.0-beta6 | |
| Discourse | =1.5.0-beta7 | |
| Discourse | =1.5.0-beta8 | |
| Discourse | =1.5.0-beta9 | |
| Discourse | =1.6.0-beta1 | |
| Discourse | =1.6.0-beta10 | |
| Discourse | =1.6.0-beta11 | |
| Discourse | =1.6.0-beta12 | |
| Discourse | =1.6.0-beta2 | |
| Discourse | =1.6.0-beta3 | |
| Discourse | =1.6.0-beta4 | |
| Discourse | =1.6.0-beta5 | |
| Discourse | =1.6.0-beta6 | |
| Discourse | =1.6.0-beta7 | |
| Discourse | =1.6.0-beta8 | |
| Discourse | =1.6.0-beta9 | |
| Discourse | =1.7.0-beta1 | |
| Discourse | =1.7.0-beta10 | |
| Discourse | =1.7.0-beta11 | |
| Discourse | =1.7.0-beta2 | |
| Discourse | =1.7.0-beta3 | |
| Discourse | =1.7.0-beta4 | |
| Discourse | =1.7.0-beta5 | |
| Discourse | =1.7.0-beta6 | |
| Discourse | =1.7.0-beta7 | |
| Discourse | =1.7.0-beta8 | |
| Discourse | =1.7.0-beta9 | |
| Discourse | =1.8.0-beta1 | |
| Discourse | =1.8.0-beta10 | |
| Discourse | =1.8.0-beta11 | |
| Discourse | =1.8.0-beta12 | |
| Discourse | =1.8.0-beta13 | |
| Discourse | =1.8.0-beta2 | |
| Discourse | =1.8.0-beta3 | |
| Discourse | =1.8.0-beta4 | |
| Discourse | =1.8.0-beta5 | |
| Discourse | =1.8.0-beta6 | |
| Discourse | =1.8.0-beta7 | |
| Discourse | =1.8.0-beta8 | |
| Discourse | =1.8.0-beta9 | |
| Discourse | =1.9.0-beta1 | |
| Discourse | =1.9.0-beta10 | |
| Discourse | =1.9.0-beta11 | |
| Discourse | =1.9.0-beta12 | |
| Discourse | =1.9.0-beta13 | |
| Discourse | =1.9.0-beta14 | |
| Discourse | =1.9.0-beta15 | |
| Discourse | =1.9.0-beta16 | |
| Discourse | =1.9.0-beta17 | |
| Discourse | =1.9.0-beta2 | |
| Discourse | =1.9.0-beta3 | |
| Discourse | =1.9.0-beta4 | |
| Discourse | =1.9.0-beta5 | |
| Discourse | =1.9.0-beta6 | |
| Discourse | =1.9.0-beta7 | |
| Discourse | =1.9.0-beta8 | |
| Discourse | =1.9.0-beta9 | |
| Discourse | =2.0.0-beta1 | |
| Discourse | =2.0.0-beta10 | |
| Discourse | =2.0.0-beta2 | |
| Discourse | =2.0.0-beta3 | |
| Discourse | =2.0.0-beta4 | |
| Discourse | =2.0.0-beta5 | |
| Discourse | =2.0.0-beta6 | |
| Discourse | =2.0.0-beta7 | |
| Discourse | =2.0.0-beta8 | |
| Discourse | =2.0.0-beta9 | |
| Discourse | =2.1.0-beta1 | |
| Discourse | =2.1.0-beta2 | |
| Discourse | =2.1.0-beta3 | |
| Discourse | =2.1.0-beta4 | |
| Discourse | =2.1.0-beta5 | |
| Discourse | =2.1.0-beta6 | |
| Discourse | =2.2.0-beta1 | |
| Discourse | =2.2.0-beta10 | |
| Discourse | =2.2.0-beta2 | |
| Discourse | =2.2.0-beta3 | |
| Discourse | =2.2.0-beta4 | |
| Discourse | =2.2.0-beta5 | |
| Discourse | =2.2.0-beta6 | |
| Discourse | =2.2.0-beta7 | |
| Discourse | =2.2.0-beta8 | |
| Discourse | =2.2.0-beta9 | |
| Discourse | =2.3.0-beta1 | |
| Discourse | =2.3.0-beta10 | |
| Discourse | =2.3.0-beta11 | |
| Discourse | =2.3.0-beta2 | |
| Discourse | =2.3.0-beta3 | |
| Discourse | =2.3.0-beta4 | |
| Discourse | =2.3.0-beta5 | |
| Discourse | =2.3.0-beta6 | |
| Discourse | =2.3.0-beta7 | |
| Discourse | =2.3.0-beta8 | |
| Discourse | =2.3.0-beta9 | |
| Discourse | =2.4.0-beta1 | |
| Discourse | =2.4.0-beta10 | |
| Discourse | =2.4.0-beta11 | |
| Discourse | =2.4.0-beta2 | |
| Discourse | =2.4.0-beta3 | |
| Discourse | =2.4.0-beta4 | |
| Discourse | =2.4.0-beta5 | |
| Discourse | =2.4.0-beta6 | |
| Discourse | =2.4.0-beta7 | |
| Discourse | =2.4.0-beta8 | |
| Discourse | =2.4.0-beta9 | |
| Discourse | =2.5.0-beta1 | |
| Discourse | =2.5.0-beta2 | |
| Discourse | =2.5.0-beta3 | |
| Discourse | =2.5.0-beta4 | |
| Discourse | =2.5.0-beta5 | |
| Discourse | =2.5.0-beta6 | |
| Discourse | =2.5.0-beta7 | |
| Discourse | =2.6.0-beta1 | |
| Discourse | =2.6.0-beta2 | |
| Discourse | =2.6.0-beta3 | |
| Discourse | =2.6.0-beta4 | |
| Discourse | =2.6.0-beta5 | |
| Discourse | =2.6.0-beta6 | |
| Discourse | =2.7.0-beta1 | |
| Discourse | =2.7.0-beta2 | |
| Discourse | =2.7.0-beta3 | |
| Discourse | =2.7.0-beta4 | |
| Discourse | =2.7.0-beta5 | |
| Discourse | =2.7.0-beta6 | |
| Discourse | =2.7.0-beta7 | |
| Discourse | =2.7.0-beta8 | |
| Discourse | =2.7.0-beta9 | |
| Discourse | =2.8.0-beta1 | |
| Discourse | =2.8.0-beta10 | |
| Discourse | =2.8.0-beta11 | |
| Discourse | =2.8.0-beta2 | |
| Discourse | =2.8.0-beta3 | |
| Discourse | =2.8.0-beta4 | |
| Discourse | =2.8.0-beta5 | |
| Discourse | =2.8.0-beta6 | |
| Discourse | =2.8.0-beta7 | |
| Discourse | =2.8.0-beta8 | |
| Discourse | =2.8.0-beta9 | |
| Discourse | =2.9.0-beta1 | |
| Discourse | =2.9.0-beta10 | |
| Discourse | =2.9.0-beta11 | |
| Discourse | =2.9.0-beta12 | |
| Discourse | =2.9.0-beta13 | |
| Discourse | =2.9.0-beta14 | |
| Discourse | =2.9.0-beta2 | |
| Discourse | =2.9.0-beta3 | |
| Discourse | =2.9.0-beta4 | |
| Discourse | =2.9.0-beta5 | |
| Discourse | =2.9.0-beta6 | |
| Discourse | =2.9.0-beta7 | |
| Discourse | =2.9.0-beta8 | |
| Discourse | =2.9.0-beta9 | |
| Discourse | =3.0.0-beta15 | |
| Discourse | =3.0.0-beta16 | |
| Discourse | =3.1.0-beta1 | |
| Discourse | =3.1.0-beta2 | |
| Discourse | =3.1.0-beta3 | |
| Discourse | =3.1.0-beta5 | |
| Discourse | =3.1.0-beta6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-38684?
CVE-2023-38684 has a medium severity level due to improper input validation allowing potential denial of service via high limit parameters.
How do I fix CVE-2023-38684?
To fix CVE-2023-38684, update to version 3.0.6 or later in the stable branch, or version 3.1.0.beta7 or later in the beta or tests-passed branches.
What versions are affected by CVE-2023-38684?
CVE-2023-38684 affects Discourse versions prior to 3.0.6 for the stable branch and prior to 3.1.0.beta7 for the beta and tests-passed branches.
Is CVE-2023-38684 remotely exploitable?
Yes, CVE-2023-38684 can be exploited remotely as it allows attackers to send crafted requests with high limit parameters.
What mitigation steps should I take for CVE-2023-38684?
In addition to upgrading, consider implementing input validation measures to restrict limit parameters until the software is updated.
- agent/references
- agent/author
- agent/type
- agent/softwarecombine
- agent/severity
- agent/title
- agent/remedy
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-latest
- vendor/discourse
- canonical/discourse
- version/discourse/1.1.0-beta1
- version/discourse/1.1.0-beta2
- version/discourse/1.1.0-beta3
- version/discourse/1.1.0-beta4
- version/discourse/1.1.0-beta5
- version/discourse/1.1.0-beta6
- version/discourse/1.1.0-beta6b
- version/discourse/1.1.0-beta7
- version/discourse/1.1.0-beta8
- version/discourse/1.2.0-beta1
- version/discourse/1.2.0-beta2
- version/discourse/1.2.0-beta3
- version/discourse/1.2.0-beta4
- version/discourse/1.2.0-beta5
- version/discourse/1.2.0-beta6
- version/discourse/1.2.0-beta7
- version/discourse/1.2.0-beta8
- version/discourse/1.2.0-beta9
- version/discourse/1.3.0-beta1
- version/discourse/1.3.0-beta10
- version/discourse/1.3.0-beta11
- version/discourse/1.3.0-beta2
- version/discourse/1.3.0-beta3
- version/discourse/1.3.0-beta4
- version/discourse/1.3.0-beta5
- version/discourse/1.3.0-beta6
- version/discourse/1.3.0-beta7
- version/discourse/1.3.0-beta8
- version/discourse/1.3.0-beta9
- version/discourse/1.4.0-beta1
- version/discourse/1.4.0-beta10
- version/discourse/1.4.0-beta11
- version/discourse/1.4.0-beta12
- version/discourse/1.4.0-beta2
- version/discourse/1.4.0-beta3
- version/discourse/1.4.0-beta4
- version/discourse/1.4.0-beta5
- version/discourse/1.4.0-beta6
- version/discourse/1.4.0-beta7
- version/discourse/1.4.0-beta8
- version/discourse/1.4.0-beta9
- version/discourse/1.5.0-beta1
- version/discourse/1.5.0-beta10
- version/discourse/1.5.0-beta11
- version/discourse/1.5.0-beta12
- version/discourse/1.5.0-beta13
- version/discourse/1.5.0-beta13b
- version/discourse/1.5.0-beta14
- version/discourse/1.5.0-beta2
- version/discourse/1.5.0-beta3
- version/discourse/1.5.0-beta4
- version/discourse/1.5.0-beta5
- version/discourse/1.5.0-beta6
- version/discourse/1.5.0-beta7
- version/discourse/1.5.0-beta8
- version/discourse/1.5.0-beta9
- version/discourse/1.6.0-beta1
- version/discourse/1.6.0-beta10
- version/discourse/1.6.0-beta11
- version/discourse/1.6.0-beta12
- version/discourse/1.6.0-beta2
- version/discourse/1.6.0-beta3
- version/discourse/1.6.0-beta4
- version/discourse/1.6.0-beta5
- version/discourse/1.6.0-beta6
- version/discourse/1.6.0-beta7
- version/discourse/1.6.0-beta8
- version/discourse/1.6.0-beta9
- version/discourse/1.7.0-beta1
- version/discourse/1.7.0-beta10
- version/discourse/1.7.0-beta11
- version/discourse/1.7.0-beta2
- version/discourse/1.7.0-beta3
- version/discourse/1.7.0-beta4
- version/discourse/1.7.0-beta5
- version/discourse/1.7.0-beta6
- version/discourse/1.7.0-beta7
- version/discourse/1.7.0-beta8
- version/discourse/1.7.0-beta9
- version/discourse/1.8.0-beta1
- version/discourse/1.8.0-beta10
- version/discourse/1.8.0-beta11
- version/discourse/1.8.0-beta12
- version/discourse/1.8.0-beta13
- version/discourse/1.8.0-beta2
- version/discourse/1.8.0-beta3
- version/discourse/1.8.0-beta4
- version/discourse/1.8.0-beta5
- version/discourse/1.8.0-beta6
- version/discourse/1.8.0-beta7
- version/discourse/1.8.0-beta8
- version/discourse/1.8.0-beta9
- version/discourse/1.9.0-beta1
- version/discourse/1.9.0-beta10
- version/discourse/1.9.0-beta11
- version/discourse/1.9.0-beta12
- version/discourse/1.9.0-beta13
- version/discourse/1.9.0-beta14
- version/discourse/1.9.0-beta15
- version/discourse/1.9.0-beta16
- version/discourse/1.9.0-beta17
- version/discourse/1.9.0-beta2
- version/discourse/1.9.0-beta3
- version/discourse/1.9.0-beta4
- version/discourse/1.9.0-beta5
- version/discourse/1.9.0-beta6
- version/discourse/1.9.0-beta7
- version/discourse/1.9.0-beta8
- version/discourse/1.9.0-beta9
- version/discourse/2.0.0-beta1
- version/discourse/2.0.0-beta10
- version/discourse/2.0.0-beta2
- version/discourse/2.0.0-beta3
- version/discourse/2.0.0-beta4
- version/discourse/2.0.0-beta5
- version/discourse/2.0.0-beta6
- version/discourse/2.0.0-beta7
- version/discourse/2.0.0-beta8
- version/discourse/2.0.0-beta9
- version/discourse/2.1.0-beta1
- version/discourse/2.1.0-beta2
- version/discourse/2.1.0-beta3
- version/discourse/2.1.0-beta4
- version/discourse/2.1.0-beta5
- version/discourse/2.1.0-beta6
- version/discourse/2.2.0-beta1
- version/discourse/2.2.0-beta10
- version/discourse/2.2.0-beta2
- version/discourse/2.2.0-beta3
- version/discourse/2.2.0-beta4
- version/discourse/2.2.0-beta5
- version/discourse/2.2.0-beta6
- version/discourse/2.2.0-beta7
- version/discourse/2.2.0-beta8
- version/discourse/2.2.0-beta9
- version/discourse/2.3.0-beta1
- version/discourse/2.3.0-beta10
- version/discourse/2.3.0-beta11
- version/discourse/2.3.0-beta2
- version/discourse/2.3.0-beta3
- version/discourse/2.3.0-beta4
- version/discourse/2.3.0-beta5
- version/discourse/2.3.0-beta6
- version/discourse/2.3.0-beta7
- version/discourse/2.3.0-beta8
- version/discourse/2.3.0-beta9
- version/discourse/2.4.0-beta1
- version/discourse/2.4.0-beta10
- version/discourse/2.4.0-beta11
- version/discourse/2.4.0-beta2
- version/discourse/2.4.0-beta3
- version/discourse/2.4.0-beta4
- version/discourse/2.4.0-beta5
- version/discourse/2.4.0-beta6
- version/discourse/2.4.0-beta7
- version/discourse/2.4.0-beta8
- version/discourse/2.4.0-beta9
- version/discourse/2.5.0-beta1
- version/discourse/2.5.0-beta2
- version/discourse/2.5.0-beta3
- version/discourse/2.5.0-beta4
- version/discourse/2.5.0-beta5
- version/discourse/2.5.0-beta6
- version/discourse/2.5.0-beta7
- version/discourse/2.6.0-beta1
- version/discourse/2.6.0-beta2
- version/discourse/2.6.0-beta3
- version/discourse/2.6.0-beta4
- version/discourse/2.6.0-beta5
- version/discourse/2.6.0-beta6
- version/discourse/2.7.0-beta1
- version/discourse/2.7.0-beta2
- version/discourse/2.7.0-beta3
- version/discourse/2.7.0-beta4
- version/discourse/2.7.0-beta5
- version/discourse/2.7.0-beta6
- version/discourse/2.7.0-beta7
- version/discourse/2.7.0-beta8
- version/discourse/2.7.0-beta9
- version/discourse/2.8.0-beta1
- version/discourse/2.8.0-beta10
- version/discourse/2.8.0-beta11
- version/discourse/2.8.0-beta2
- version/discourse/2.8.0-beta3
- version/discourse/2.8.0-beta4
- version/discourse/2.8.0-beta5
- version/discourse/2.8.0-beta6
- version/discourse/2.8.0-beta7
- version/discourse/2.8.0-beta8
- version/discourse/2.8.0-beta9
- version/discourse/2.9.0-beta1
- version/discourse/2.9.0-beta10
- version/discourse/2.9.0-beta11
- version/discourse/2.9.0-beta12
- version/discourse/2.9.0-beta13
- version/discourse/2.9.0-beta14
- version/discourse/2.9.0-beta2
- version/discourse/2.9.0-beta3
- version/discourse/2.9.0-beta4
- version/discourse/2.9.0-beta5
- version/discourse/2.9.0-beta6
- version/discourse/2.9.0-beta7
- version/discourse/2.9.0-beta8
- version/discourse/2.9.0-beta9
- version/discourse/3.0.0-beta15
- version/discourse/3.0.0-beta16
- version/discourse/3.1.0-beta1
- version/discourse/3.1.0-beta2
- version/discourse/3.1.0-beta3
- version/discourse/3.1.0-beta5
- version/discourse/3.1.0-beta6