Home > Vulnerability Database > CVE-2023-28112

Mend.io Vulnerability Database

CVE-2023-28112

Good to know:

Date: March 17, 2023

Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, some user provided URLs were being passed to FastImage without SSRF protection. Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses. This affects any site running the `tests-passed` or `beta` branches versions 3.1.0.beta2 and prior. This issue is patched in version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.

Language: Ruby

Severity Score

5.9

Related Resources (5)

Url: https://github.com/discourse/discourse/commit/39c2f63b35d90ebaf67b9604cf1d424e5984203c

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-28112

Url: https://github.com/discourse/discourse/pull/20710

Url: https://github.com/discourse/discourse/security/advisories/GHSA-9897-x229-55gh

Url: https://www.mend.io/vulnerability-database/CVE-2023-28112

Severity Score

5.9

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version v3.0.2

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-28112

Good to know:

Date: March 17, 2023

Language: Ruby

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?