CVE-2022-24824
Anonymous user cache poisoning in discourse
In short
An attacker can trick the cache system in Discourse to show a broken crawler view to anonymous visitors instead of the normal website, making the site appear broken for people who aren't logged in.
Technical detail
Cache poisoning vulnerability (CWE-829) affecting anonymous users in Discourse; attackers can manipulate cached responses to serve crawler-intended content to regular visitors, resulting in partial denial-of-service. Requires no authentication and impacts cached content delivery for unauthenticated sessions.
Summary generated and translated by AI from the official description.
Discourse is an open source platform for community discussion. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no known workarounds for this issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected products
discourse · discourseWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →