CVE-2024-21655 - Vulnerability Details - OpenCVE

Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth. The issue is patched 3.1.4 and 3.2.0.beta4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Discourse	Discourse

Configuration 1 [-]

OR	cpe:2.3:a:discourse:discourse:::::stable:::*
	cpe:2.3:a:discourse:discourse:3.2.0:beta1:::beta:::*
	cpe:2.3:a:discourse:discourse:3.2.0:beta2:::beta:::*
	cpe:2.3:a:discourse:discourse:3.2.0:beta3:::beta:::*

No data.

References

Link	Providers
https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx

History

Tue, 03 Jun 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-12T20:46:00.196Z

Updated: 2025-06-03T14:03:56.412Z

Reserved: 2023-12-29T16:10:20.366Z

Link: CVE-2024-21655

Vulnrichment

Updated: 2024-08-01T22:27:36.251Z

NVD

Status : Modified

Published: 2024-01-12T21:15:11.510

Modified: 2024-11-21T08:54:48.830

Link: CVE-2024-21655

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21655", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T16:10:20.366Z", "datePublished": "2024-01-12T20:46:00.196Z", "dateUpdated": "2025-06-03T14:03:56.412Z"}, "containers": {"cna": {"title": "Insufficient control of custom field value sizes", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": "< 3.1.4", "status": "affected"}, {"version": ">= 3.2.0beta1, < 3.2.0.beta4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-12T20:46:00.196Z"}, "descriptions": [{"lang": "en", "value": "Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth. The issue is patched 3.1.4 and 3.2.0.beta4."}], "source": {"advisory": "GHSA-m5fc-94mm-38fx", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.251Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T19:10:03.485373Z", "id": "CVE-2024-21655", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-03T14:03:56.412Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.251Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21655", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T19:10:03.485373Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T19:10:05.223Z"}}], "cna": {"title": "Insufficient control of custom field value sizes", "source": {"advisory": "GHSA-m5fc-94mm-38fx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": "< 3.1.4"}, {"status": "affected", "version": ">= 3.2.0beta1, < 3.2.0.beta4"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth. The issue is patched 3.1.4 and 3.2.0.beta4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-12T20:46:00.196Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21655", "state": "PUBLISHED", "dateUpdated": "2025-06-03T14:03:56.412Z", "dateReserved": "2023-12-29T16:10:20.366Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-12T20:46:00.196Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*", "matchCriteriaId": "A51406A4-A2FE-4BFE-8EA0-58359582D6A7", "versionEndExcluding": "3.1.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:3.2.0:beta1:*:*:beta:*:*:*", "matchCriteriaId": "1BFF647B-6CEF-43BF-BF5E-C82B557F78E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:3.2.0:beta2:*:*:beta:*:*:*", "matchCriteriaId": "10D931DE-F8F5-4A34-A30A-FDD4420ABD1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:3.2.0:beta3:*:*:beta:*:*:*", "matchCriteriaId": "C62C36D4-6CE7-4A57-BBF7-8066CFAE342A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Discourse is a platform for community discussion. For fields that are client editable, limits on sizes are not imposed. This allows a malicious actor to cause a Discourse instance to use excessive disk space and also often excessive bandwidth. The issue is patched 3.1.4 and 3.2.0.beta4."}, {"lang": "es", "value": "Discourse es una plataforma para la discusi\u00f3n comunitaria. Para los campos que el cliente puede editar, no se imponen l\u00edmites de tama\u00f1o. Esto permite que un actor malintencionado haga que una instancia de Discourse utilice espacio en disco excesivo y, a menudo, tambi\u00e9n ancho de banda excesivo. El problema est\u00e1 parcheado en 3.1.4 y 3.2.0.beta4."}], "id": "CVE-2024-21655", "lastModified": "2024-11-21T08:54:48.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-12T21:15:11.510", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-m5fc-94mm-38fx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}