QwikSec

Security Database

CVE

CWE

Training

CVE-2023-28107

Published: Mar 17, 2023

Modified: Feb 25, 2025

PUBLISHED

CVSS v3.1

4.5

MEDIUM

Description

Discourse is an open-source discussion platform. Prior to version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a site using multisite, then it can affect the whole cluster. The vulnerability is patched in version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.

Vendor	Product	Versions
discourse	discourse	affected `stable < 3.0.2` affected `beta < 3.1.0.beta3` affected `tests-passed < 3.1.0.beta3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/discourse/discourse/security/advisories/GHSA-cp7c-fm4c-6xxx

x_refsource_CONFIRM

https://github.com/discourse/discourse/pull/20700

x_refsource_MISC

https://github.com/discourse/discourse/pull/20701

x_refsource_MISC

https://github.com/discourse/discourse/commit/0bd64788d2b4680c04fbef76314a24884d65fed9

x_refsource_MISC

https://github.com/discourse/discourse/commit/78a3efa7104eed6dd3ed7a06a71e2705337d9e61

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.