CVE-2022-39241

discourse/discourse

on github

Published

November 2, 2022

Severity

CVSS v3:

4.9 MEDIUM

CVSS v2:

N/A

Description

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest `stable`, `beta`, and `test-passed` versions are now patched. As a workaround, self-hosters can use `DISCOURSE_BLOCKED_IP_BLOCKS` env var (which overrides `blocked_ip_blocks` setting) to stop webhooks from accessing private IPs.

References

https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:discourse:discourse:2.9.0:beta1::::::	n/a	n/a	2.9.0
cpe:2.3:a:discourse:discourse:2.9.0:beta2::::::	n/a	n/a	2.9.0
cpe:2.3:a:discourse:discourse:2.9.0:beta3::::::	n/a	n/a	2.9.0
cpe:2.3:a:discourse:discourse:2.9.0:beta4::::::	n/a	n/a	2.9.0
cpe:2.3:a:discourse:discourse:2.9.0:beta5::::::	n/a	n/a	2.9.0
cpe:2.3:a:discourse:discourse:2.9.0:beta7::::::	n/a	n/a	2.9.0
cpe:2.3:a:discourse:discourse:2.9.0:beta8::::::	n/a	n/a	2.9.0
cpe:2.3:a:discourse:discourse:2.9.0:beta6::::::	n/a	n/a	2.9.0
cpe:2.3:a:discourse:discourse:2.9.0:beta9::::::	n/a	n/a	2.9.0
cpe:2.3:a:discourse:discourse:2.9.0:beta10::::::	n/a	n/a	2.9.0
cpe:2.3:a:discourse:discourse::::::::	n/a	2.8.10	*

External Links

NVD - CVE-2022-39241