Vulnerabilities > CVE-2024-23654 - Server-Side Request Forgery (SSRF) vulnerability in Discourse AI

CVSS 7.2 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

discourse

CWE-918

NVD

Published: 2024-02-21

Updated: 2025-02-05

Summary

discourse-ai is the AI plugin for the open-source discussion platform Discourse. Prior to commit 94ba0dadc2cf38e8f81c3936974c167219878edd, interactions with different AI services are vulnerable to admin-initiated SSRF attacks. Versions of the plugin that include commit 94ba0dadc2cf38e8f81c3936974c167219878edd contain a patch. As a workaround, one may disable the discourse-ai plugin.

Vulnerable Configurations

Part	Description	Count
Application	Discourse Discourse AI *	1

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://github.com/discourse/discourse-ai/commit/94ba0dadc2cf38e8f81c3936974c167219878edd
https://github.com/discourse/discourse-ai/commit/94ba0dadc2cf38e8f81c3936974c167219878edd
https://github.com/discourse/discourse-ai/security/advisories/GHSA-32cj-rm2q-22cc
https://github.com/discourse/discourse-ai/security/advisories/GHSA-32cj-rm2q-22cc