Description

Discourse is an open source platform for community discussion. This vulnerability only impacts Discourse instances configured to use `FileStore::LocalStore` which means uploads and backups are stored locally on disk. If an attacker knows the name of the Discourse backup file, the attacker can trick nginx into sending the Discourse backup file with a well crafted request. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. Users unable to upgrade can either 1. Download all local backups on to another storage device, disable the `enable_backups` site setting and delete all backups until the site has been upgraded to pull in the fix. Or 2. Change the `backup_location` site setting to `s3` so that backups are stored and downloaded directly from S3.

INFO

Published Date :

2024-12-19T19:11:20.590Z

Last Modified :

2024-12-20T20:43:11.036Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-53991 vulnerability.

Vendors Products
Discourse
  • Discourse
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-53991.

URL Resource
https://github.com/discourse/discourse/security/advisories/GHSA-567m-82f6-56rv cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact