CVE-2024-55948
Published: 04 February 2025
Summary
CVE-2024-55948 is a high-severity Origin Validation Error (CWE-346) vulnerability in Discourse Discourse. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses this CVE by requiring timely patching of the Discourse vulnerability or applying workarounds like disabling anonymous caching.
Protection of information in shared system resources like the anonymous cache prevents unauthorized poisoning via crafted XHR requests.
Information input validation checks crafted XHR requests to block invalid inputs that poison the anonymous cache.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing web application (T1190) via crafted XHR requests to poison the anonymous cache, facilitating application/service disruption/DoS (T1499.004) and stored data manipulation by altering cached responses served to anonymous users (T1565.001).
NVD Description
Discourse is an open source platform for community discussion. In affected versions an attacker can make craft an XHR request to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only…
more
affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.
Deeper analysisAI
CVE-2024-55948 affects Discourse, an open source platform for community discussion. The vulnerability enables an attacker to craft an XHR request that poisons the anonymous cache, for example by causing cached responses to lack preloaded data. This issue is limited to anonymous visitors of the site and is classified under CWE-346, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation poisons the anonymous cache, resulting in high integrity impact (I:H) such as serving incomplete or manipulated responses to anonymous users, alongside low availability impact (A:L).
The issue has been patched in the latest version of Discourse, and users are advised to upgrade. Those unable to upgrade can mitigate by disabling the anonymous cache via the DISCOURSE_DISABLE_ANON_CACHE environment variable set to a non-empty value. See the advisory at https://github.com/discourse/discourse/security/advisories/GHSA-2352-252q-qc82 for details.
Details
- CWE(s)