cve-2023-28112
Vulnerability from cvelistv5
Published
2023-03-17 18:35
Modified
2024-08-02 12:30
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Summary
Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, some user provided URLs were being passed to FastImage without SSRF protection. Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses. This affects any site running the `tests-passed` or `beta` branches versions 3.1.0.beta2 and prior. This issue is patched in version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.
References
security-advisories@github.comhttps://github.com/discourse/discourse/commit/39c2f63b35d90ebaf67b9604cf1d424e5984203cPatch
security-advisories@github.comhttps://github.com/discourse/discourse/pull/20710Patch
security-advisories@github.comhttps://github.com/discourse/discourse/security/advisories/GHSA-9897-x229-55ghVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/discourse/discourse/commit/39c2f63b35d90ebaf67b9604cf1d424e5984203cPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/discourse/discourse/pull/20710Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/discourse/discourse/security/advisories/GHSA-9897-x229-55ghVendor Advisory
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T12:30:24.186Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/discourse/discourse/security/advisories/GHSA-9897-x229-55gh",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/discourse/discourse/security/advisories/GHSA-9897-x229-55gh"
          },
          {
            "name": "https://github.com/discourse/discourse/pull/20710",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/discourse/discourse/pull/20710"
          },
          {
            "name": "https://github.com/discourse/discourse/commit/39c2f63b35d90ebaf67b9604cf1d424e5984203c",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/discourse/discourse/commit/39c2f63b35d90ebaf67b9604cf1d424e5984203c"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "discourse",
          "vendor": "discourse",
          "versions": [
            {
              "status": "affected",
              "version": "beta \u003c 3.1.0.beta3"
            },
            {
              "status": "affected",
              "version": "tests-passed \u003c 3.1.0.beta3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, some user provided URLs were being passed to FastImage without SSRF protection. Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses. This affects any site running the `tests-passed` or `beta` branches versions 3.1.0.beta2 and prior. This issue is patched in version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-17T18:35:07.984Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/discourse/discourse/security/advisories/GHSA-9897-x229-55gh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/discourse/discourse/security/advisories/GHSA-9897-x229-55gh"
        },
        {
          "name": "https://github.com/discourse/discourse/pull/20710",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/discourse/discourse/pull/20710"
        },
        {
          "name": "https://github.com/discourse/discourse/commit/39c2f63b35d90ebaf67b9604cf1d424e5984203c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/discourse/discourse/commit/39c2f63b35d90ebaf67b9604cf1d424e5984203c"
        }
      ],
      "source": {
        "advisory": "GHSA-9897-x229-55gh",
        "discovery": "UNKNOWN"
      },
      "title": "Discourse\u0027s SSRF protection missing for some FastImage requests"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-28112",
    "datePublished": "2023-03-17T18:35:07.984Z",
    "dateReserved": "2023-03-10T18:34:29.227Z",
    "dateUpdated": "2024-08-02T12:30:24.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-28112\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-03-17T19:15:11.507\",\"lastModified\":\"2024-11-21T07:54:25.787\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, some user provided URLs were being passed to FastImage without SSRF protection. Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses. This affects any site running the `tests-passed` or `beta` branches versions 3.1.0.beta2 and prior. This issue is patched in version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*\",\"versionEndExcluding\":\"3.1.0\",\"matchCriteriaId\":\"D3C08972-822D-4657-9B6F-02BC692B7C6E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*\",\"versionEndIncluding\":\"3.1.0\",\"matchCriteriaId\":\"F59F801F-E7B5-4F37-A2E8-6024AD6DD7B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:3.1.0:beta1:*:*:beta:*:*:*\",\"matchCriteriaId\":\"B9BBED17-A6BA-4F17-8814-8D8521F28375\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:3.1.0:beta2:*:*:beta:*:*:*\",\"matchCriteriaId\":\"888B8ECF-EBE0-4821-82F6-B0026E95E407\"}]}]}],\"references\":[{\"url\":\"https://github.com/discourse/discourse/commit/39c2f63b35d90ebaf67b9604cf1d424e5984203c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/discourse/discourse/pull/20710\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/discourse/discourse/security/advisories/GHSA-9897-x229-55gh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/discourse/discourse/commit/39c2f63b35d90ebaf67b9604cf1d424e5984203c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/discourse/discourse/pull/20710\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/discourse/discourse/security/advisories/GHSA-9897-x229-55gh\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.