CVE-2024-23654

discourse-ai is the AI plugin for the open-source discussion platform Discourse. Prior to commit 94ba0dadc2cf38e8f81c3936974c167219878edd, interactions with different AI services are vulnerable to admin-initiated SSRF attacks. Versions of the plugin that include commit 94ba0dadc2cf38e8f81c3936974c167219878edd contain a patch. As a workaround, one may disable the discourse-ai plugin.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/discourse/discourse-ai/commit/94ba0dadc2cf38e8f81c3936974c167219878edd
https://github.com/discourse/discourse-ai/security/advisories/GHSA-32cj-rm2q-22cc

Configurations

No configuration.

History

22 Feb 2024, 19:07

Type	Values Removed	Values Added
Summary		(es) discurso-ai es el complemento de inteligencia artificial para la plataforma de discusión de código abierto Discourse. Antes del commit 94ba0dadc2cf38e8f81c3936974c167219878edd, las interacciones con diferentes servicios de IA son vulnerables a ataques SSRF iniciados por el administrador. Las versiones del complemento que incluyen el commit 94ba0dadc2cf38e8f81c3936974c167219878edd contienen un parche. Como workaround, se puede desactivar el complemento discurso-ai.

21 Feb 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-21 21:15

Updated : 2024-02-22 19:07

NVD link : CVE-2024-23654

Mitre link : CVE-2024-23654

CVE.ORG link : CVE-2024-23654

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

4.1 /10