CVE-2023-37904: 
NixOS vulnerability analysis and mitigation

Discourse, an open source discussion platform, was found to have a vulnerability (CVE-2023-37904) where more users than permitted could be created from invite links. This vulnerability affected versions prior to 3.0.6 of the 'stable' branch and version 3.1.0.beta7 of the 'beta' and 'tests-passed' branches. The issue was discovered and disclosed in July 2023, impacting the user invitation system of the platform (GitHub Advisory).

The vulnerability was classified as a race condition (CWE-362) in the invite acceptance process. It received a CVSS v3.1 Base Score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. The issue stemmed from concurrent invite accepts that could bypass the maximum redemption limit checks (NVD).

The vulnerability allowed attackers to create more user accounts than intended through invite links, potentially bypassing user limit restrictions and account creation controls. This could lead to unauthorized access to the platform and potential misuse of system resources (GitHub Advisory).

The issue was patched in version 3.0.6 of the 'stable' branch and version 3.1.0.beta7 of the 'beta' and 'tests-passed' branches. As a temporary workaround, administrators can restrict invitations to email address invites only. The fix implemented proper handling of concurrent invite accepts through database locking mechanisms (GitHub Commit).