Vulnerabilities > CVE-2023-44384 - Server-Side Request Forgery (SSRF) vulnerability in Discourse Jira 20231001

CVSS 4.1 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

discourse

CWE-918

NVD

Published: 2023-10-06

Updated: 2023-10-11

Summary

Discourse-jira is a Discourse plugin allows Jira projects, issue types, fields and field options will be synced automatically. An administrator user can make an SSRF attack by setting the Jira URL to an arbitrary location and enabling the `discourse_jira_verbose_log` site setting. A moderator user could manipulate the request path to the Jira API, allowing them to perform arbitrary GET requests using the Jira API credentials, potentially with elevated permissions, used by the application.

Vulnerable Configurations

Part	Description	Count
Application	Discourse Discourse Discourse Jira - Discourse Discourse Jira 2023-10-01	2

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References