Home > Vulnerability Database > CVE-2023-28111

Mend.io Vulnerability Database

CVE-2023-28111

Good to know:

Date: March 17, 2023

Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, attackers are able to bypass Discourse's server-side request forgery (SSRF) protection for private IPv4 addresses by using a IPv4-mapped IPv6 address. The issue is patched in the latest beta and tests-passed version of Discourse. version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.

Language: Ruby

Severity Score

5.7

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-28111

Url: https://github.com/discourse/discourse/pull/20710

Url: https://github.com/discourse/discourse/security/advisories/GHSA-26h3-8ww8-v5fc

Url: https://github.com/discourse/discourse/commit/fd16eade7fcc6bba4b71e71106a2eb13cdfdae4a

Url: https://www.mend.io/vulnerability-database/CVE-2023-28111

Severity Score

5.7

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version v3.0.2

Learn More

CVSS v3.1

Base Score:	5.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-28111

Good to know:

Date: March 17, 2023

Language: Ruby

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?