CVE-2024-37299: 
NixOS vulnerability analysis and mitigation

Discourse, an open source discussion platform, was found to be vulnerable to a Denial of Service (DoS) attack through tag group name manipulation. The vulnerability (CVE-2024-37299) affects versions prior to 3.2.5 and 3.3.0.beta5, where crafted requests with very long tag group names could reduce the availability of a Discourse instance (Vendor Advisory).

The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (HIGH) according to NVD, while GitHub rates it at 4.9 (MEDIUM). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and no user interaction (UI:N). The scope is unchanged (S:U) with no impact on confidentiality (C:N) or integrity (I:N), but high impact on availability (A:H) (NVD).

The primary impact of this vulnerability is on system availability. When exploited, the vulnerability can reduce the availability of a Discourse instance through the submission of extremely long tag group names (Vendor Advisory).

The vulnerability has been patched in Discourse versions 3.2.5 and 3.3.0.beta5. For users unable to update immediately, a workaround involves manually trimming down tag group names either through the UI or SQL (Vendor Advisory).