Race condition in Discourse

#VU78758 Race condition in Discourse

Published: 2023-07-31

Vulnerability identifier: #VU78758

Vulnerability risk: Low

CVSSv3.1: 2.3 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-37904

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Discourse
Web applications / Forum & blogging software

Vendor: Civilized Discourse Construction Kit, Inc.

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a race condition in Accept Invite. A remote user can exploit the race and create more users than permitted from invite links.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Discourse: 3.0.5 - 3.1.0 beta6

External links
http://github.com/discourse/discourse/commit/62a609ea2d0645a27ee8adbb01ce10a5e03a600b
http://github.com/discourse/discourse/security/advisories/GHSA-6wj5-4ph2-c7qg

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Discourse