CVE-2023-30606 - OpenCVE

Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the `SiteSetting` class, notably `#clear_cache!` and `#notify_changed!`, which when done on a multisite instance, can affect the entire cluster resulting in a denial of service. Users not running in multisite environments are not affected. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Discourse	Discourse

Configuration 1 [-]

OR	cpe:2.3:a:discourse:discourse:::::stable:::*
	cpe:2.3:a:discourse:discourse:::::beta:::*
	cpe:2.3:a:discourse:discourse:3.1.0:beta1:::beta:::*
	cpe:2.3:a:discourse:discourse:3.1.0:beta2:::beta:::*

No data.

References

Link	Providers
https://github.com/discourse/discourse/security/advisories/GHSA-jj93-w3mv-3jvv

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-18T21:36:08.683Z

Updated: 2024-08-02T14:28:51.804Z

Reserved: 2023-04-13T13:25:18.830Z

Link: CVE-2023-30606

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-04-18T22:15:08.197

Modified: 2023-04-28T03:50:43.710

Link: CVE-2023-30606

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30606", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-13T13:25:18.830Z", "datePublished": "2023-04-18T21:36:08.683Z", "dateUpdated": "2024-08-02T14:28:51.804Z"}, "containers": {"cna": {"title": "Multisite denial of service through unsanitized dynamic dispatch to SiteSetting in Discourse", "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "lang": "en", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-jj93-w3mv-3jvv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-jj93-w3mv-3jvv"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": "stable: < 3.0.2", "status": "affected"}, {"version": "beta: < 3.1.0.beta3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-18T21:36:08.683Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the `SiteSetting` class, notably `#clear_cache!` and `#notify_changed!`, which when done on a multisite instance, can affect the entire cluster resulting in a denial of service. Users not running in multisite environments are not affected. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-jj93-w3mv-3jvv", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:28:51.804Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-jj93-w3mv-3jvv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-jj93-w3mv-3jvv"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*", "matchCriteriaId": "618BD7ED-B602-46C3-AFDA-55544B4E6264", "versionEndIncluding": "3.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*", "matchCriteriaId": "D3C08972-822D-4657-9B6F-02BC692B7C6E", "versionEndExcluding": "3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:3.1.0:beta1:*:*:beta:*:*:*", "matchCriteriaId": "B9BBED17-A6BA-4F17-8814-8D8521F28375", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:3.1.0:beta2:*:*:beta:*:*:*", "matchCriteriaId": "888B8ECF-EBE0-4821-82F6-B0026E95E407", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the `SiteSetting` class, notably `#clear_cache!` and `#notify_changed!`, which when done on a multisite instance, can affect the entire cluster resulting in a denial of service. Users not running in multisite environments are not affected. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "id": "CVE-2023-30606", "lastModified": "2023-04-28T03:50:43.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-04-18T22:15:08.197", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-jj93-w3mv-3jvv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-732"}], "source": "security-advisories@github.com", "type": "Secondary"}]}