CVE-2022-24824 : Discourse is an open source platform for community discussion. In affected versi

Discourse is an open source platform for community discussion. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no known workarounds for this issue.

Published 2022-04-14 22:15:08

Updated 2022-04-22 19:53:10

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: File inclusionDenial of service

Products affected by CVE-2022-24824

Discourse » Discourse
Versions before (<) 2.8.3
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
Matching versions
Discourse » Discourse » Version: 2.9.0 Update Beta1
cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:*
Matching versions
Discourse » Discourse » Version: 2.9.0 Update Beta2
cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:*
Matching versions
Discourse » Discourse » Version: 2.9.0 Update Beta3
cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-24824

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 18 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-24824

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2022-24824

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-24824

https://github.com/discourse/discourse/commit/b72b0dac10493d09f4f9eb8f3c3ce7817295e34e

SECURITY: Ensure user-agent-based responses are cached separately (st… · discourse/discourse@b72b0da · GitHub
Patch;Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-46v9-3jc4-f53w

Anonymous user cache poisoning via maliciously formed request · Advisory · discourse/discourse · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-24824

Products affected by CVE-2022-24824

Exploit prediction scoring system (EPSS) score for CVE-2022-24824

CVSS scores for CVE-2022-24824

CWE ids for CVE-2022-24824

References for CVE-2022-24824