CVE-2023-22739: 
NixOS vulnerability analysis and mitigation

Discourse, an open source platform for community discussion, was found to have a vulnerability in versions prior to 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed). The vulnerability was disclosed on January 25, 2023, and was assigned CVE-2023-22739. The issue involved unlimited data storage in topic drafts, which could be exploited by malicious users (GitHub Advisory).

The vulnerability received a CVSS v3.1 base score of 5.7 (Moderate), with the following characteristics: Network attack vector, Low attack complexity, Low privileges required, User interaction required, Unchanged scope, No impact on confidentiality and integrity, but High impact on availability. The technical vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability could be exploited by a malicious user to cause a denial of service condition, making the Discourse instance come to a crawl. This was possible due to the absence of limits on data contained in drafts (GitHub Advisory).

The issue has been patched in Discourse versions 3.0.1 (stable), 3.1.0.beta2 (beta), and 3.1.0.beta2 (tests-passed). No workarounds are available, and users are advised to upgrade to the patched versions (GitHub Advisory).