Vulnerability DatabaseCVE-2023-28107
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-28107
March 17, 2023
Discourse is an open-source discussion platform. Prior to version 3.0.2 of the "stable" branch and version 3.1.0.beta3 of the "beta" and "tests-passed" branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a site using multisite, then it can affect the whole cluster. The vulnerability is patched in version 3.0.2 of the "stable" branch and version 3.1.0.beta3 of the "beta" and "tests-passed" branches. There are no known workarounds.
Related ResourcesĀ (5)
https://github.com/discourse/discourse/pull/20701
https://github.com/discourse/discourse/pull/20700
https://github.com/discourse/discourse/commit/78a3efa7104eed6dd3ed7a06a71e2705337d9e61
https://github.com/discourse/discourse/commit/0bd64788d2b4680c04fbef76314a24884d65fed9
https://github.com/discourse/discourse/security/advisories/GHSA-cp7c-fm4c-6xxx
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.8
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Allocation of Resources Without Limits or Throttling
CWE-770
EPSS
Base Score:
0.98