CVE-2023-41043: Discourse DoS via SvgSprite cache
First published: Fri Sep 15 2023(Updated: )
Discourse is an open-source discussion platform. Prior to version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches, a malicious admin could create extremely large icons sprites, which would then be cached in each server process. This may cause server processes to be killed and lead to downtime. The issue is patched in version 3.1.1 of the `stable` branch and version 3.2.0.beta1 of the `beta` and `tests-passed` branches. This is only a concern for multisite installations. No action is required when the admins are trusted.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Discourse | <3.1.1 | |
| Discourse | =1.1.0-beta1 | |
| Discourse | =1.1.0-beta2 | |
| Discourse | =1.1.0-beta3 | |
| Discourse | =1.1.0-beta4 | |
| Discourse | =1.1.0-beta5 | |
| Discourse | =1.1.0-beta6 | |
| Discourse | =1.1.0-beta6b | |
| Discourse | =1.1.0-beta7 | |
| Discourse | =1.1.0-beta8 | |
| Discourse | =1.2.0-beta1 | |
| Discourse | =1.2.0-beta2 | |
| Discourse | =1.2.0-beta3 | |
| Discourse | =1.2.0-beta4 | |
| Discourse | =1.2.0-beta5 | |
| Discourse | =1.2.0-beta6 | |
| Discourse | =1.2.0-beta7 | |
| Discourse | =1.2.0-beta8 | |
| Discourse | =1.2.0-beta9 | |
| Discourse | =1.3.0-beta1 | |
| Discourse | =1.3.0-beta10 | |
| Discourse | =1.3.0-beta11 | |
| Discourse | =1.3.0-beta2 | |
| Discourse | =1.3.0-beta3 | |
| Discourse | =1.3.0-beta4 | |
| Discourse | =1.3.0-beta5 | |
| Discourse | =1.3.0-beta6 | |
| Discourse | =1.3.0-beta7 | |
| Discourse | =1.3.0-beta8 | |
| Discourse | =1.3.0-beta9 | |
| Discourse | =1.4.0-beta1 | |
| Discourse | =1.4.0-beta10 | |
| Discourse | =1.4.0-beta11 | |
| Discourse | =1.4.0-beta12 | |
| Discourse | =1.4.0-beta2 | |
| Discourse | =1.4.0-beta3 | |
| Discourse | =1.4.0-beta4 | |
| Discourse | =1.4.0-beta5 | |
| Discourse | =1.4.0-beta6 | |
| Discourse | =1.4.0-beta7 | |
| Discourse | =1.4.0-beta8 | |
| Discourse | =1.4.0-beta9 | |
| Discourse | =1.5.0-beta1 | |
| Discourse | =1.5.0-beta10 | |
| Discourse | =1.5.0-beta11 | |
| Discourse | =1.5.0-beta12 | |
| Discourse | =1.5.0-beta13 | |
| Discourse | =1.5.0-beta13b | |
| Discourse | =1.5.0-beta14 | |
| Discourse | =1.5.0-beta2 | |
| Discourse | =1.5.0-beta3 | |
| Discourse | =1.5.0-beta4 | |
| Discourse | =1.5.0-beta5 | |
| Discourse | =1.5.0-beta6 | |
| Discourse | =1.5.0-beta7 | |
| Discourse | =1.5.0-beta8 | |
| Discourse | =1.5.0-beta9 | |
| Discourse | =1.6.0-beta1 | |
| Discourse | =1.6.0-beta10 | |
| Discourse | =1.6.0-beta11 | |
| Discourse | =1.6.0-beta12 | |
| Discourse | =1.6.0-beta2 | |
| Discourse | =1.6.0-beta3 | |
| Discourse | =1.6.0-beta4 | |
| Discourse | =1.6.0-beta5 | |
| Discourse | =1.6.0-beta6 | |
| Discourse | =1.6.0-beta7 | |
| Discourse | =1.6.0-beta8 | |
| Discourse | =1.6.0-beta9 | |
| Discourse | =1.7.0-beta1 | |
| Discourse | =1.7.0-beta10 | |
| Discourse | =1.7.0-beta11 | |
| Discourse | =1.7.0-beta2 | |
| Discourse | =1.7.0-beta3 | |
| Discourse | =1.7.0-beta4 | |
| Discourse | =1.7.0-beta5 | |
| Discourse | =1.7.0-beta6 | |
| Discourse | =1.7.0-beta7 | |
| Discourse | =1.7.0-beta8 | |
| Discourse | =1.7.0-beta9 | |
| Discourse | =1.8.0-beta1 | |
| Discourse | =1.8.0-beta10 | |
| Discourse | =1.8.0-beta11 | |
| Discourse | =1.8.0-beta12 | |
| Discourse | =1.8.0-beta13 | |
| Discourse | =1.8.0-beta2 | |
| Discourse | =1.8.0-beta3 | |
| Discourse | =1.8.0-beta4 | |
| Discourse | =1.8.0-beta5 | |
| Discourse | =1.8.0-beta6 | |
| Discourse | =1.8.0-beta7 | |
| Discourse | =1.8.0-beta8 | |
| Discourse | =1.8.0-beta9 | |
| Discourse | =1.9.0-beta1 | |
| Discourse | =1.9.0-beta10 | |
| Discourse | =1.9.0-beta11 | |
| Discourse | =1.9.0-beta12 | |
| Discourse | =1.9.0-beta13 | |
| Discourse | =1.9.0-beta14 | |
| Discourse | =1.9.0-beta15 | |
| Discourse | =1.9.0-beta16 | |
| Discourse | =1.9.0-beta17 | |
| Discourse | =1.9.0-beta2 | |
| Discourse | =1.9.0-beta3 | |
| Discourse | =1.9.0-beta4 | |
| Discourse | =1.9.0-beta5 | |
| Discourse | =1.9.0-beta6 | |
| Discourse | =1.9.0-beta7 | |
| Discourse | =1.9.0-beta8 | |
| Discourse | =1.9.0-beta9 | |
| Discourse | =2.0.0-beta1 | |
| Discourse | =2.0.0-beta10 | |
| Discourse | =2.0.0-beta2 | |
| Discourse | =2.0.0-beta3 | |
| Discourse | =2.0.0-beta4 | |
| Discourse | =2.0.0-beta5 | |
| Discourse | =2.0.0-beta6 | |
| Discourse | =2.0.0-beta7 | |
| Discourse | =2.0.0-beta8 | |
| Discourse | =2.0.0-beta9 | |
| Discourse | =2.1.0-beta1 | |
| Discourse | =2.1.0-beta2 | |
| Discourse | =2.1.0-beta3 | |
| Discourse | =2.1.0-beta4 | |
| Discourse | =2.1.0-beta5 | |
| Discourse | =2.1.0-beta6 | |
| Discourse | =2.2.0-beta1 | |
| Discourse | =2.2.0-beta10 | |
| Discourse | =2.2.0-beta2 | |
| Discourse | =2.2.0-beta3 | |
| Discourse | =2.2.0-beta4 | |
| Discourse | =2.2.0-beta5 | |
| Discourse | =2.2.0-beta6 | |
| Discourse | =2.2.0-beta7 | |
| Discourse | =2.2.0-beta8 | |
| Discourse | =2.2.0-beta9 | |
| Discourse | =2.3.0-beta1 | |
| Discourse | =2.3.0-beta10 | |
| Discourse | =2.3.0-beta11 | |
| Discourse | =2.3.0-beta2 | |
| Discourse | =2.3.0-beta3 | |
| Discourse | =2.3.0-beta4 | |
| Discourse | =2.3.0-beta5 | |
| Discourse | =2.3.0-beta6 | |
| Discourse | =2.3.0-beta7 | |
| Discourse | =2.3.0-beta8 | |
| Discourse | =2.3.0-beta9 | |
| Discourse | =2.4.0-beta1 | |
| Discourse | =2.4.0-beta10 | |
| Discourse | =2.4.0-beta11 | |
| Discourse | =2.4.0-beta2 | |
| Discourse | =2.4.0-beta3 | |
| Discourse | =2.4.0-beta4 | |
| Discourse | =2.4.0-beta5 | |
| Discourse | =2.4.0-beta6 | |
| Discourse | =2.4.0-beta7 | |
| Discourse | =2.4.0-beta8 | |
| Discourse | =2.4.0-beta9 | |
| Discourse | =2.5.0-beta1 | |
| Discourse | =2.5.0-beta2 | |
| Discourse | =2.5.0-beta3 | |
| Discourse | =2.5.0-beta4 | |
| Discourse | =2.5.0-beta5 | |
| Discourse | =2.5.0-beta6 | |
| Discourse | =2.5.0-beta7 | |
| Discourse | =2.6.0-beta1 | |
| Discourse | =2.6.0-beta2 | |
| Discourse | =2.6.0-beta3 | |
| Discourse | =2.6.0-beta4 | |
| Discourse | =2.6.0-beta5 | |
| Discourse | =2.6.0-beta6 | |
| Discourse | =2.7.0-beta1 | |
| Discourse | =2.7.0-beta2 | |
| Discourse | =2.7.0-beta3 | |
| Discourse | =2.7.0-beta4 | |
| Discourse | =2.7.0-beta5 | |
| Discourse | =2.7.0-beta6 | |
| Discourse | =2.7.0-beta7 | |
| Discourse | =2.7.0-beta8 | |
| Discourse | =2.7.0-beta9 | |
| Discourse | =2.8.0-beta1 | |
| Discourse | =2.8.0-beta10 | |
| Discourse | =2.8.0-beta11 | |
| Discourse | =2.8.0-beta2 | |
| Discourse | =2.8.0-beta3 | |
| Discourse | =2.8.0-beta4 | |
| Discourse | =2.8.0-beta5 | |
| Discourse | =2.8.0-beta6 | |
| Discourse | =2.8.0-beta7 | |
| Discourse | =2.8.0-beta8 | |
| Discourse | =2.8.0-beta9 | |
| Discourse | =2.9.0-beta1 | |
| Discourse | =2.9.0-beta10 | |
| Discourse | =2.9.0-beta11 | |
| Discourse | =2.9.0-beta12 | |
| Discourse | =2.9.0-beta13 | |
| Discourse | =2.9.0-beta14 | |
| Discourse | =2.9.0-beta2 | |
| Discourse | =2.9.0-beta3 | |
| Discourse | =2.9.0-beta4 | |
| Discourse | =2.9.0-beta5 | |
| Discourse | =2.9.0-beta6 | |
| Discourse | =2.9.0-beta7 | |
| Discourse | =2.9.0-beta8 | |
| Discourse | =2.9.0-beta9 | |
| Discourse | =3.0.0-beta15 | |
| Discourse | =3.0.0-beta16 | |
| Discourse | =3.1.0-beta1 | |
| Discourse | =3.1.0-beta2 | |
| Discourse | =3.1.0-beta3 | |
| Discourse | =3.1.0-beta5 | |
| Discourse | =3.1.0-beta6 | |
| Discourse | =3.1.0-beta7 | |
| Discourse | =3.1.0-beta8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2023-41043?
CVE-2023-41043 is considered to be of medium severity as it involves potential denial of service due to excessively large icon sprites.
How do I fix CVE-2023-41043?
To fix CVE-2023-41043, upgrading to Discourse version 3.1.1 or later for the stable branch, or version 3.2.0.beta1 or later for beta branches is recommended.
Who is affected by CVE-2023-41043?
CVE-2023-41043 affects all versions of Discourse prior to version 3.1.1 for the stable branch and version 3.2.0.beta1 for beta branches.
What does CVE-2023-41043 exploit?
CVE-2023-41043 exploits a vulnerability where a malicious admin can create excessively large icon sprites that are cached in each server process.
Is there any workaround for CVE-2023-41043?
There is no official workaround for CVE-2023-41043 other than upgrading to the recommended versions.
- agent/type
- agent/author
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/title
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/discourse
- canonical/discourse
- version/discourse/1.1.0-beta1
- version/discourse/1.1.0-beta2
- version/discourse/1.1.0-beta3
- version/discourse/1.1.0-beta4
- version/discourse/1.1.0-beta5
- version/discourse/1.1.0-beta6
- version/discourse/1.1.0-beta6b
- version/discourse/1.1.0-beta7
- version/discourse/1.1.0-beta8
- version/discourse/1.2.0-beta1
- version/discourse/1.2.0-beta2
- version/discourse/1.2.0-beta3
- version/discourse/1.2.0-beta4
- version/discourse/1.2.0-beta5
- version/discourse/1.2.0-beta6
- version/discourse/1.2.0-beta7
- version/discourse/1.2.0-beta8
- version/discourse/1.2.0-beta9
- version/discourse/1.3.0-beta1
- version/discourse/1.3.0-beta10
- version/discourse/1.3.0-beta11
- version/discourse/1.3.0-beta2
- version/discourse/1.3.0-beta3
- version/discourse/1.3.0-beta4
- version/discourse/1.3.0-beta5
- version/discourse/1.3.0-beta6
- version/discourse/1.3.0-beta7
- version/discourse/1.3.0-beta8
- version/discourse/1.3.0-beta9
- version/discourse/1.4.0-beta1
- version/discourse/1.4.0-beta10
- version/discourse/1.4.0-beta11
- version/discourse/1.4.0-beta12
- version/discourse/1.4.0-beta2
- version/discourse/1.4.0-beta3
- version/discourse/1.4.0-beta4
- version/discourse/1.4.0-beta5
- version/discourse/1.4.0-beta6
- version/discourse/1.4.0-beta7
- version/discourse/1.4.0-beta8
- version/discourse/1.4.0-beta9
- version/discourse/1.5.0-beta1
- version/discourse/1.5.0-beta10
- version/discourse/1.5.0-beta11
- version/discourse/1.5.0-beta12
- version/discourse/1.5.0-beta13
- version/discourse/1.5.0-beta13b
- version/discourse/1.5.0-beta14
- version/discourse/1.5.0-beta2
- version/discourse/1.5.0-beta3
- version/discourse/1.5.0-beta4
- version/discourse/1.5.0-beta5
- version/discourse/1.5.0-beta6
- version/discourse/1.5.0-beta7
- version/discourse/1.5.0-beta8
- version/discourse/1.5.0-beta9
- version/discourse/1.6.0-beta1
- version/discourse/1.6.0-beta10
- version/discourse/1.6.0-beta11
- version/discourse/1.6.0-beta12
- version/discourse/1.6.0-beta2
- version/discourse/1.6.0-beta3
- version/discourse/1.6.0-beta4
- version/discourse/1.6.0-beta5
- version/discourse/1.6.0-beta6
- version/discourse/1.6.0-beta7
- version/discourse/1.6.0-beta8
- version/discourse/1.6.0-beta9
- version/discourse/1.7.0-beta1
- version/discourse/1.7.0-beta10
- version/discourse/1.7.0-beta11
- version/discourse/1.7.0-beta2
- version/discourse/1.7.0-beta3
- version/discourse/1.7.0-beta4
- version/discourse/1.7.0-beta5
- version/discourse/1.7.0-beta6
- version/discourse/1.7.0-beta7
- version/discourse/1.7.0-beta8
- version/discourse/1.7.0-beta9
- version/discourse/1.8.0-beta1
- version/discourse/1.8.0-beta10
- version/discourse/1.8.0-beta11
- version/discourse/1.8.0-beta12
- version/discourse/1.8.0-beta13
- version/discourse/1.8.0-beta2
- version/discourse/1.8.0-beta3
- version/discourse/1.8.0-beta4
- version/discourse/1.8.0-beta5
- version/discourse/1.8.0-beta6
- version/discourse/1.8.0-beta7
- version/discourse/1.8.0-beta8
- version/discourse/1.8.0-beta9
- version/discourse/1.9.0-beta1
- version/discourse/1.9.0-beta10
- version/discourse/1.9.0-beta11
- version/discourse/1.9.0-beta12
- version/discourse/1.9.0-beta13
- version/discourse/1.9.0-beta14
- version/discourse/1.9.0-beta15
- version/discourse/1.9.0-beta16
- version/discourse/1.9.0-beta17
- version/discourse/1.9.0-beta2
- version/discourse/1.9.0-beta3
- version/discourse/1.9.0-beta4
- version/discourse/1.9.0-beta5
- version/discourse/1.9.0-beta6
- version/discourse/1.9.0-beta7
- version/discourse/1.9.0-beta8
- version/discourse/1.9.0-beta9
- version/discourse/2.0.0-beta1
- version/discourse/2.0.0-beta10
- version/discourse/2.0.0-beta2
- version/discourse/2.0.0-beta3
- version/discourse/2.0.0-beta4
- version/discourse/2.0.0-beta5
- version/discourse/2.0.0-beta6
- version/discourse/2.0.0-beta7
- version/discourse/2.0.0-beta8
- version/discourse/2.0.0-beta9
- version/discourse/2.1.0-beta1
- version/discourse/2.1.0-beta2
- version/discourse/2.1.0-beta3
- version/discourse/2.1.0-beta4
- version/discourse/2.1.0-beta5
- version/discourse/2.1.0-beta6
- version/discourse/2.2.0-beta1
- version/discourse/2.2.0-beta10
- version/discourse/2.2.0-beta2
- version/discourse/2.2.0-beta3
- version/discourse/2.2.0-beta4
- version/discourse/2.2.0-beta5
- version/discourse/2.2.0-beta6
- version/discourse/2.2.0-beta7
- version/discourse/2.2.0-beta8
- version/discourse/2.2.0-beta9
- version/discourse/2.3.0-beta1
- version/discourse/2.3.0-beta10
- version/discourse/2.3.0-beta11
- version/discourse/2.3.0-beta2
- version/discourse/2.3.0-beta3
- version/discourse/2.3.0-beta4
- version/discourse/2.3.0-beta5
- version/discourse/2.3.0-beta6
- version/discourse/2.3.0-beta7
- version/discourse/2.3.0-beta8
- version/discourse/2.3.0-beta9
- version/discourse/2.4.0-beta1
- version/discourse/2.4.0-beta10
- version/discourse/2.4.0-beta11
- version/discourse/2.4.0-beta2
- version/discourse/2.4.0-beta3
- version/discourse/2.4.0-beta4
- version/discourse/2.4.0-beta5
- version/discourse/2.4.0-beta6
- version/discourse/2.4.0-beta7
- version/discourse/2.4.0-beta8
- version/discourse/2.4.0-beta9
- version/discourse/2.5.0-beta1
- version/discourse/2.5.0-beta2
- version/discourse/2.5.0-beta3
- version/discourse/2.5.0-beta4
- version/discourse/2.5.0-beta5
- version/discourse/2.5.0-beta6
- version/discourse/2.5.0-beta7
- version/discourse/2.6.0-beta1
- version/discourse/2.6.0-beta2
- version/discourse/2.6.0-beta3
- version/discourse/2.6.0-beta4
- version/discourse/2.6.0-beta5
- version/discourse/2.6.0-beta6
- version/discourse/2.7.0-beta1
- version/discourse/2.7.0-beta2
- version/discourse/2.7.0-beta3
- version/discourse/2.7.0-beta4
- version/discourse/2.7.0-beta5
- version/discourse/2.7.0-beta6
- version/discourse/2.7.0-beta7
- version/discourse/2.7.0-beta8
- version/discourse/2.7.0-beta9
- version/discourse/2.8.0-beta1
- version/discourse/2.8.0-beta10
- version/discourse/2.8.0-beta11
- version/discourse/2.8.0-beta2
- version/discourse/2.8.0-beta3
- version/discourse/2.8.0-beta4
- version/discourse/2.8.0-beta5
- version/discourse/2.8.0-beta6
- version/discourse/2.8.0-beta7
- version/discourse/2.8.0-beta8
- version/discourse/2.8.0-beta9
- version/discourse/2.9.0-beta1
- version/discourse/2.9.0-beta10
- version/discourse/2.9.0-beta11
- version/discourse/2.9.0-beta12
- version/discourse/2.9.0-beta13
- version/discourse/2.9.0-beta14
- version/discourse/2.9.0-beta2
- version/discourse/2.9.0-beta3
- version/discourse/2.9.0-beta4
- version/discourse/2.9.0-beta5
- version/discourse/2.9.0-beta6
- version/discourse/2.9.0-beta7
- version/discourse/2.9.0-beta8
- version/discourse/2.9.0-beta9
- version/discourse/3.0.0-beta15
- version/discourse/3.0.0-beta16
- version/discourse/3.1.0-beta1
- version/discourse/3.1.0-beta2
- version/discourse/3.1.0-beta3
- version/discourse/3.1.0-beta5
- version/discourse/3.1.0-beta6
- version/discourse/3.1.0-beta7
- version/discourse/3.1.0-beta8