Unrated severityNVD Advisory· Published Mar 17, 2023· Updated Feb 25, 2025

Discourse vulnerable to multisite DoS by spamming backups

CVE-2023-28107

Description

Discourse is an open-source discussion platform. Prior to version 3.0.2 of the stable branch and version 3.1.0.beta3 of the beta and tests-passed branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a site using multisite, then it can affect the whole cluster. The vulnerability is patched in version 3.0.2 of the stable branch and version 3.1.0.beta3 of the beta and tests-passed branches. There are no known workarounds.

Affected products

Discourse (software)/Discoursev5
Range: stable < 3.0.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/commit/0bd64788d2b4680c04fbef76314a24884d65fed9mitrex_refsource_MISC
github.com/discourse/discourse/commit/78a3efa7104eed6dd3ed7a06a71e2705337d9e61mitrex_refsource_MISC
github.com/discourse/discourse/pull/20700mitrex_refsource_MISC
github.com/discourse/discourse/pull/20701mitrex_refsource_MISC
github.com/discourse/discourse/security/advisories/GHSA-cp7c-fm4c-6xxxmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000