Plattform
discourse
Komponente
discourse
Behoben in
3.3.3
3.4.1
CVE-2024-45297 describes an information disclosure vulnerability in Discourse, an open-source community discussion platform. An attacker can potentially view topics that have been assigned a hidden tag if they possess knowledge of the tag's label or name. This vulnerability impacts Discourse versions 3.3.2 and earlier. Users are strongly advised to upgrade to the latest stable, beta, or tests-passed version of Discourse to address this issue.
The primary impact of CVE-2024-45297 is the unauthorized exposure of sensitive or private topics within a Discourse community. An attacker who can identify the label of a hidden tag can bypass access controls and view the associated content. This could lead to the disclosure of confidential discussions, internal announcements, or other information intended to be restricted to a specific group of users. While the vulnerability doesn't directly lead to code execution or data modification, the exposure of sensitive information can have significant reputational and operational consequences for the Discourse community.
CVE-2024-45297 was publicly disclosed on 2024-10-07. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Given the relatively low complexity of exploiting this vulnerability (requiring only knowledge of a tag label), it is possible that attackers may begin targeting vulnerable Discourse instances.
Discourse installations running versions 3.3.2 or earlier are at risk. This includes organizations using Discourse for internal communication, online forums, or community support platforms. Shared hosting environments running Discourse are also potentially affected, as they may not have control over software updates.
disclosure
Exploit-Status
EPSS
0.47% (64% Perzentil)
CISA SSVC
CVSS-Vektor
The definitive mitigation for CVE-2024-45297 is to upgrade Discourse to the latest stable, beta, or tests-passed version. The vendor has released a patch that resolves this information disclosure issue. Unfortunately, there are no known workarounds for this vulnerability beyond upgrading. Ensure that your Discourse instance is regularly updated to benefit from the latest security patches and improvements. After upgrading, verify that hidden tags are functioning as expected and that only authorized users can access the associated topics.
Actualice Discourse a la última versión estable, beta o tests-passed. Esto solucionará la vulnerabilidad que permite a usuarios no autorizados filtrar la lista de temas por etiquetas ocultas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-45297 is a vulnerability in Discourse where attackers can view hidden topics if they know the tag label, impacting versions ≤ 3.3.2.
Yes, if you are running Discourse version 3.3.2 or earlier, you are affected by this information disclosure vulnerability.
Upgrade Discourse to the latest stable, beta, or tests-passed version. There are no known workarounds besides upgrading.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the official Discourse security announcement on their website for details: https://blog.discourse.org/topic/95338-security-notice-cve-2024-45297
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.