CVE-2023-23616— Discourse 资源管理错误漏洞

Discourse membership requests lack character limit

Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to flood the database with a large amount of data. However it is unlikely this could be used as part of a DoS attack, as the paths reading back the reasons are only available to administrators. Starting in version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, a limit of 280 characters has been introduced for membership requests.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

未加控制的资源消耗(资源穷尽)

Discourse 资源管理错误漏洞

Discourse是一套开源的社区讨论平台。该平台包括社区、电子邮件和聊天室等功能。 Discourse 3.0.1之前版本（稳定版）、3.1.0.beta2之前版本（测试版和测试通过版）存在资源管理错误漏洞，该漏洞源于在提交成员资格请求时，对于请求提供的原因没有字符限制，从而导致大量数据淹没数据库。

N/A

N/A