CVE-2024-55948
Published: 04 February 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2024-55948 affects Discourse, an open source platform for community discussion. The vulnerability enables an attacker to craft an XHR request that poisons the anonymous cache, for example by causing cached responses to lack preloaded data. This issue is limited to anonymous visitors of the site and is classified under CWE-346, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation poisons the anonymous cache, resulting in high integrity impact (I:H) such as serving incomplete or manipulated responses to anonymous users, alongside low availability impact (A:L).
The issue has been patched in the latest version of Discourse, and users are advised to upgrade. Those unable to upgrade can mitigate by disabling the anonymous cache via the DISCOURSE_DISABLE_ANON_CACHE environment variable set to a non-empty value. See the advisory at https://github.com/discourse/discourse/security/advisories/GHSA-2352-252q-qc82 for details.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables exploitation of a public-facing web application (T1190) via crafted XHR requests to poison the anonymous cache, facilitating application/service disruption/DoS (T1499.004) and stored data manipulation by altering cached responses served to anonymous users (T1565.001).