Discourse Open Source Forum Vulnerable to Memory Depletion Attacks

CVECVE-2023-47120
CVSScvssV3_1: 7.5
SourceCVE-2023-47120

Discourse, an open source forum platform, was found to have a vulnerability that could allow attackers to deplete the memory of servers running certain versions.

The vulnerability was present in Discourse versions 3.1.0 through 3.1.2 and 3.1.0,beta6 through 3.2.0.beta2 and involved crafting a site with an abnormally long favicon URL. By drafting multiple posts that referenced this long URL, it was possible to consume significant amounts of memory on the Discourse server through a process known as “Oneboxing”.

Oneboxing is a feature that Discourse uses to automatically expand URL previews within posts. But by abusing it with a very long favicon URL, attackers could effectively launch a denial of service attack against the forum.

It is recommended that all Discourse users running affected versions immediately update to version 3.1.3 or later from the stable branch, or 3.2.0.beta3 or later from the beta branch. These newer versions contain fixes for the memory depletion vulnerability.

For users unable to update right away, limiting the length of URLs allowed in posts could help reduce exposure to this attack. Overall it serves as a reminder of the importance of keeping software up-to-date with the latest patches to prevent security issues.

References