Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-23548

Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.

Published

2023-01-05T19:15:09.423

Last Modified

2024-11-21T06:48:47.437

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-1333
Type: Primary
CWE-1333

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	discourse	discourse	< 2.8.14	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	2.9.0	Yes
Application	discourse	discourse	3.0.0	Yes

References

https://github.com/discourse/discourse/pull/19737 Patch, Third Party Advisory ([email protected])
https://github.com/discourse/discourse/security/advisories/GHSA-7rw2-f4x7-7pxf Third Party Advisory ([email protected])
https://github.com/discourse/discourse/pull/19737 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/discourse/discourse/security/advisories/GHSA-7rw2-f4x7-7pxf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)