Skip to content

Insufficient Server Side Request Forgery protections - discourse-oauth2-basic

Moderate
jomaxro published GHSA-qj5f-8cm8-rhf8 Nov 1, 2022

Package

discourse-oauth2-basic (Discourse)

Affected versions

<= 2efe6578

Patched versions

> 2efe6578

Description

Impact

Insufficient protections could enable malicious admins to trigger outbound network connections from the Discourse server to private IP addresses.

The high severity of this advisory reflects the worst-case scenario where admins are untrusted, and there are sensitive services on the internal network. This may be true in some deployments (e.g. shared hosting environments). But for the majority of self-hosters following our standard install, admins are trusted and so the impact is much lower.

For more information, see GHSA-rcc5-28r3-23rr

Patches

The problem is resolved in the latest version of discourse-oauth2-basic

Workarounds

None

Severity

Moderate

CVE ID

CVE-2022-39241

Weaknesses

No CWEs