Server-Side Request Forgery (SSRF) in Discourse - CVE-2022-39241

 

Server-Side Request Forgery (SSRF) in Discourse - CVE-2022-39241

Published: November 1, 2022 / Updated: July 1, 2026


Vulnerability identifier: #VU136072
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-39241
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information from internal network services.

The vulnerability exists due to insufficient server-side request forgery protections in Discourse server-side request handling when processing user-supplied URLs that trigger outbound connections to private IP addresses. A remote privileged user can send a specially crafted request to disclose sensitive information from internal network services.

Depending on the available privileges, exploitation may trigger HTTP GET or POST requests, and may also trigger git clone operations over HTTP or SSH. Response visibility is limited in some cases.


How to mitigate CVE-2022-39241

Install security update from vendor's website.

Sources