First published: Fri Nov 10 2023(Updated: )
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, the embedding feature is susceptible to server side request forgery. The issue is patched in version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches. As a workaround, disable the Embedding feature.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
<3.1.3 | ||
<3.2.0 | ||
=3.2.0-beta1 | ||
=3.2.0-beta2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-47121 is a vulnerability in the embedding feature of Discourse that allows for server side request forgery (SSRF).
The severity of CVE-2023-47121 is critical with a CVSS score of 9.8.
CVE-2023-47121 affects versions prior to 3.1.3 of the stable branch and versions prior to 3.2.0.beta3 of the beta and tests-passed branches.
To fix CVE-2023-47121, upgrade to version 3.1.3 of the stable branch or version 3.2.0.beta3 of the beta and tests-passed branches of Discourse.
You can find more information about CVE-2023-47121 in the following references: [GitHub Advisory](https://github.com/discourse/discourse/security/advisories/GHSA-hp24-94qf-8cgc), [Discourse Commit 1](https://github.com/discourse/discourse/commit/24cca10da731734af4e9748de99a508d586e59f1), [Discourse Commit 2](https://github.com/discourse/discourse/commit/5f20748e402223b265e6fee381472c14e2604da6).