Vendor Discourse
Affected product Discourse
Affected versions stable <= 3.0.2; beta <= 3.1.0.beta3; tests-passed <= 3.1.0.beta3
Vulnerability type CWE-1333: Inefficient Regular Expression Complexity
Description A maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where admins are untrusted.
Status fixed in stable >= 3.0.3; beta <= 3.1.0.beta4; tests-passed <= 3.1.0.beta4
Reporter So Sakaguchi, GMO Cybersecurity by Ierae, Inc.