CVE-2022-23548

Summary

CVE	CVE-2022-23548
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-01-05 19:15:00 UTC
Updated	2023-05-16 11:15:00 UTC
Description	Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.

Risk And Classification

Problem Types: CWE-1333

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Discourse	Discourse	All	All	All	All
Application	Discourse	Discourse	2.9.0	beta1	All	All
Application	Discourse	Discourse	2.9.0	beta10	All	All
Application	Discourse	Discourse	2.9.0	beta11	All	All
Application	Discourse	Discourse	2.9.0	beta12	All	All
Application	Discourse	Discourse	2.9.0	beta13	All	All
Application	Discourse	Discourse	2.9.0	beta14	All	All
Application	Discourse	Discourse	2.9.0	beta2	All	All
Application	Discourse	Discourse	2.9.0	beta3	All	All
Application	Discourse	Discourse	2.9.0	beta4	All	All
Application	Discourse	Discourse	2.9.0	beta5	All	All
Application	Discourse	Discourse	2.9.0	beta6	All	All
Application	Discourse	Discourse	2.9.0	beta7	All	All
Application	Discourse	Discourse	2.9.0	beta8	All	All
Application	Discourse	Discourse	3.0.0	beta15	All	All

References

Reference	Source	Link	Tags
SECURITY: use rstrip instead of regex gsub to prevent ReDOS by tgxworld · Pull Request #19737 · discourse/discourse · GitHub	MISC	github.com
Regex susceptible to ReDOS · Advisory · discourse/discourse · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.