CVE-2024-47773
published 2024-10-08CVE-2024-47773: Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without…
PriorityP356high8.2CVSS 3.1
AVNACLPRNUINSUCNIHAL
EXPLOIT
EPSS
1.59%
72.7th percentile
Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| discourse | discourse | < 3.3.2 | 3.3.2 |
| discourse | discourse | — | — |
| discourse | discourse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect rapid, repeated unauthenticated (cookie-less) XHR requests to Discourse JSON endpoints (e.g. /categories.json, /latest.json, /top.json, /site.json) from the same IP — the exploit fires 50 requests per endpoint per thread across up to 10 threads. ↗
- →Flag requests carrying the 'X-Requested-With: XMLHttpRequest' header combined with 'Accept: application/json, text/javascript, */*; q=0.01' to Discourse JSON endpoints without any session cookie, as this matches the exploit's anonymous XHR fingerprint. ↗
- →Monitor Discourse anonymous cache responses for missing or empty 'preloaded' data fields; a poisoned cache entry will serve responses where preloaded data is absent or empty to all subsequent anonymous visitors. ↗
- →Alert on the presence of the DISCOURSE_DISABLE_ANON_CACHE environment variable being unset on Discourse instances; its absence is a prerequisite for exploitation. ↗
- ·The vulnerability exclusively affects anonymous (unauthenticated) visitors; authenticated sessions are not impacted by the cache poisoning. ↗
- ·Setting DISCOURSE_DISABLE_ANON_CACHE to any non-empty value fully mitigates the attack without patching, making it a viable interim control. ↗
- ·The exploit was tested against Discourse 3.1.x and 3.2.x; instances already on the latest patched release are not vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
2024-10-08
Published