CVE-2023-38684: 
NixOS vulnerability analysis and mitigation

Discourse, an open source discussion platform, was found to have a vulnerability (CVE-2023-38684) where multiple controller actions accepted limit parameters without imposing upper bounds. The vulnerability affected versions prior to 3.0.6 of the 'stable' branch and version 3.1.0.beta7 of the 'beta' and 'tests-passed' branches. This security issue was disclosed on July 28, 2023 (NVD, GitHub Advisory).

The vulnerability stems from the lack of upper bounds on limit parameters in multiple controller actions. Without these bounds, the application would accept arbitrary values for database query limits. The issue received a CVSS v3.1 Base Score of 7.5 (HIGH) from NVD and 5.3 (MEDIUM) from GitHub, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

The vulnerability could allow arbitrary users to generate database queries that may exhaust server resources, potentially leading to a denial of service condition. The impact primarily affects the availability of the system, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability was patched in version 3.0.6 of the 'stable' branch and version 3.1.0.beta7 of the 'beta' and 'tests-passed' branches. The fix introduced a new 'fetch_limit_from_params' helper method in 'ApplicationController' that enforces safe limits on parameter values. No workarounds are available for this vulnerability, and users are advised to upgrade to the patched versions (GitHub Commit).