Vulnerability Details : CVE-2023-28112
Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, some user provided URLs were being passed to FastImage without SSRF protection. Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses. This affects any site running the `tests-passed` or `beta` branches versions 3.1.0.beta2 and prior. This issue is patched in version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.
Vulnerability category: Server-side request forgery (SSRF)
Products affected by CVE-2023-28112
- cpe:2.3:a:discourse:discourse:*:*:*:*:beta:*:*:*
- cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*
- cpe:2.3:a:discourse:discourse:3.1.0:beta1:*:*:beta:*:*:*
- cpe:2.3:a:discourse:discourse:3.1.0:beta2:*:*:beta:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-28112
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28112
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N |
1.6
|
4.2
|
GitHub, Inc. |
CWE ids for CVE-2023-28112
-
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-28112
-
https://github.com/discourse/discourse/security/advisories/GHSA-9897-x229-55gh
SSRF protection missing for some FastImage requests · Advisory · discourse/discourse · GitHubVendor Advisory
-
https://github.com/discourse/discourse/pull/20710
SECURITY: Multiple commits for version bump beta3 by oblakeerickson · Pull Request #20710 · discourse/discourse · GitHubPatch
-
https://github.com/discourse/discourse/commit/39c2f63b35d90ebaf67b9604cf1d424e5984203c
SECURITY: Add FinalDestination::FastImage that's SSRF safe · discourse/discourse@39c2f63 · GitHubPatch
Jump to