CVE-2024-24827
Last modified
CVE-2024-24827 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. EPSS estimates a 0.59% chance of exploitation in the next 30 days.
Description
Discourse is an open source platform for community discussion. Without a rate limit on the POST /uploads endpoint, it makes it easier for an attacker to carry out a DoS attack on the server since creating an upload can be a resource intensive process. Do note that the impact varies from site to site as various site settings like `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` will determine the amount of resources used when creating an upload. The issue is patched in the latest stable, beta and tests-passed version of Discourse. Users are advised to upgrade. Users unable to upgrade should reduce `max_image_size_kb`, `max_attachment_size_kb` and `max_image_megapixels` as smaller uploads require less resources to process. Alternatively, `client_max_body_size` can be reduced in Nginx to prevent large uploads from reaching the server.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 3.2.0 |
| Discourse | Discourse | < 3.3.0 |
References
- https://github.com/discourse/discourse/security/advisories/GHSA-58vw-246g-fjj4Third Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-58vw-246g-fjj4Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-24827?
How severe is CVE-2024-24827?
How do I fix CVE-2024-24827?
Are you affected by CVE-2024-24827?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST