Home > Vulnerability Database > CVE-2022-23641

Mend.io Vulnerability Database

CVE-2022-23641

Date: February 15, 2022

Discourse is an open source discussion platform. In versions prior to 2.8.1 in the "stable" branch, 2.9.0.beta2 in the "beta" branch, and 2.9.0.beta2 in the "tests-passed" branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an infinite loop, which cause memory leaks. This issue is patched in version 2.8.1 of the "stable" branch, 2.9.0.beta2 of the "beta" branch, and 2.9.0.beta2 of the "tests-passed" branch. As a workaround, disable onebox in admin panel completely or specify allow list of domains that will be oneboxed.

Language: Ruby

Severity Score

6.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-23641

Url: https://github.com/discourse/discourse/pull/15927

Url: https://github.com/discourse/discourse/security/advisories/GHSA-22xw-f62v-cfxv

Url: https://github.com/discourse/discourse/commit/a34075d205a8857e29574ffd82aaece0c467565e

Url: https://www.mend.io/vulnerability-database/CVE-2022-23641

Severity Score

6.5

Weakness Type (CWE)

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	4.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-23641

Date: February 15, 2022

Language: Ruby

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?