Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches, a malicious actor could get the FastImage library to redirect requests to an internal Discourse IP. This issue is patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta4 on the `beta` and `tests-passed` branches. No known workarounds are available.
References
Configurations
Configuration 1 (hide)
|
History
18 Sep 2024, 13:50
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/discourse/discourse/commit/5b8cf11b69e05d5c058c1148ec69ec309491fa6e - Patch | |
References | () https://github.com/discourse/discourse/commit/67e78086035cec494b15ce79342a0cb9052c2d95 - Patch | |
References | () https://github.com/discourse/discourse/security/advisories/GHSA-46pq-7958-fc68 - Third Party Advisory | |
CPE | cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.3.0:beta2:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:* cpe:2.3:a:discourse:discourse:3.3.0:beta3:*:*:beta:*:*:* cpe:2.3:a:discourse:discourse:3.3.0:beta1:*:*:beta:*:*:* |
|
First Time |
Discourse
Discourse discourse |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
05 Jul 2024, 12:55
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
03 Jul 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-03 20:15
Updated : 2024-09-18 13:50
NVD link : CVE-2024-37157
Mitre link : CVE-2024-37157
CVE.ORG link : CVE-2024-37157
JSON object : View
Products Affected
discourse
- discourse
CWE
CWE-918
Server-Side Request Forgery (SSRF)