CVE-2024-23654

discourse-ai is the AI plugin for the open-source discussion platform Discourse. Prior to commit 94ba0dadc2cf38e8f81c3936974c167219878edd, interactions with different AI services are vulnerable to admin-initiated SSRF attacks. Versions of the plugin that include commit 94ba0dadc2cf38e8f81c3936974c167219878edd contain a patch. As a workaround, one may disable the discourse-ai plugin.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/discourse/discourse-ai/commit/94ba0dadc2cf38e8f81c3936974c167219878edd
https://github.com/discourse/discourse-ai/security/advisories/GHSA-32cj-rm2q-22cc

Configurations

No configuration.

History

No history.

Information

Published : 2024-02-21 21:15

Updated : 2024-02-22 19:07

NVD link : CVE-2024-23654

Mitre link : CVE-2024-23654

CVE.ORG link : CVE-2024-23654

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

4.1 /10