CVE-2022-39241
on github
Published
Severity
CVSS v3:
4.9 MEDIUM
CVSS v2:
N/A
Description
Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest `stable`, `beta`, and `test-passed` versions are now patched. As a workaround, self-hosters can use `DISCOURSE_BLOCKED_IP_BLOCKS` env var (which overrides `blocked_ip_blocks` setting) to stop webhooks from accessing private IPs.
References
Configurations
CPE23 | Version Start | Version End | Exact Version |
---|---|---|---|
cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:* | n/a | n/a | 2.9.0 |
cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:* | n/a | n/a | 2.9.0 |
cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:* | n/a | n/a | 2.9.0 |
cpe:2.3:a:discourse:discourse:2.9.0:beta4:*:*:*:*:*:* | n/a | n/a | 2.9.0 |
cpe:2.3:a:discourse:discourse:2.9.0:beta5:*:*:*:*:*:* | n/a | n/a | 2.9.0 |
cpe:2.3:a:discourse:discourse:2.9.0:beta7:*:*:*:*:*:* | n/a | n/a | 2.9.0 |
cpe:2.3:a:discourse:discourse:2.9.0:beta8:*:*:*:*:*:* | n/a | n/a | 2.9.0 |
cpe:2.3:a:discourse:discourse:2.9.0:beta6:*:*:*:*:*:* | n/a | n/a | 2.9.0 |
cpe:2.3:a:discourse:discourse:2.9.0:beta9:*:*:*:*:*:* | n/a | n/a | 2.9.0 |
cpe:2.3:a:discourse:discourse:2.9.0:beta10:*:*:*:*:*:* | n/a | n/a | 2.9.0 |
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:* | n/a | 2.8.10 | * |