CVE-2024-47773
Published: 08 October 2024
Summary
CVE-2024-47773 is a high-severity Externally Controlled Reference to a Resource in Another Sphere (CWE-610) vulnerability in Discourse Discourse. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Discourse, an open source discussion platform, contains a cache poisoning vulnerability that allows an attacker to issue multiple XHR requests and replace cached responses with versions that lack preloaded data. The flaw is restricted to responses served to anonymous visitors and stems from insufficient validation of cacheable content before it is stored and replayed.
An unauthenticated remote attacker can exploit the issue over the network to corrupt the anonymous cache, resulting in integrity violations for site content delivered to unauthenticated users and a limited availability impact. The CVSS 8.2 score reflects the absence of required authentication or user interaction combined with the ability to affect integrity without direct code execution.
The GitHub Security Advisory GHSA-58vv-9j8h-hw2v states that the problem is fixed in the current release of Discourse. Administrators who cannot upgrade immediately may set the DISCOURSE_DISABLE_ANON_CACHE environment variable to any non-empty value to disable the affected caching layer for anonymous requests. The EPSS score has remained flat at 0.0785 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42683
Vulnerability details
Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has…
more
been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-47773 enables unauthenticated remote exploitation of the public-facing Discourse web application via anonymous cache poisoning through XHR requests, allowing attackers to manipulate cached responses served to anonymous visitors.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limits impact of an externally controlled reference to a primary information resource by switching to an identified alternative.