Impact
Insufficient protections could enable malicious admins to trigger outbound network connections from the Discourse server to private IP addresses.
The high severity of this advisory reflects the worst-case scenario where admins are untrusted, and there are sensitive services on the internal network. This may be true in some deployments (e.g. shared hosting environments). But for the majority of self-hosters following our standard install, admins are trusted and so the impact is much lower.
For more information, see GHSA-rcc5-28r3-23rr
Patches
The problem is resolved in the latest version of discourse-openid-connect
Workarounds
None
Impact
Insufficient protections could enable malicious admins to trigger outbound network connections from the Discourse server to private IP addresses.
The high severity of this advisory reflects the worst-case scenario where admins are untrusted, and there are sensitive services on the internal network. This may be true in some deployments (e.g. shared hosting environments). But for the majority of self-hosters following our standard install, admins are trusted and so the impact is much lower.
For more information, see GHSA-rcc5-28r3-23rr
Patches
The problem is resolved in the latest version of discourse-openid-connect
Workarounds
None