github plausible/analytics v3.2.1
on GitHub

9 hours ago

Security related update

This patch release fixes a security vulnerability affecting the following versions of Plausible Community Edition (image: ghcr.io/plausible/community-edition):
Tags:

  • v3.2
  • v3.2.0
  • v3
  • v3.2.0-rc.0
  • v3.1
  • v3.1.0
  • v3.1.0-rc.1
  • v3.1.0-rc.0
  • v3.0.1
  • v3.0
  • v3.0.0
  • v3.0.0-rc.6
  • v3.0.0-rc.5
  • v3.0.0-rc.4
  • v3.0.0-rc.3
  • v3.0.0-rc.2
  • v3.0.0-rc.1
  • v3.0.0-rc.0

The affected versions expose a HTTP "/storybook" endpoint which, under certain conditions, allows remote code execution with privileges of system user running the application.

This release v3.2.1 of Plausible Community Edition completely removes that endpoint.

Who is affected?

All deployments of Plausible Community Edition running the following versions:

  • v3.2
  • v3.2.0
  • v3
  • v3.2.0-rc.0
  • v3.1
  • v3.1.0
  • v3.1.0-rc.1
  • v3.1.0-rc.0
  • v3.0.1
  • v3.0
  • v3.0.0
  • v3.0.0-rc.6
  • v3.0.0-rc.5
  • v3.0.0-rc.4
  • v3.0.0-rc.3
  • v3.0.0-rc.2
  • v3.0.0-rc.1
  • v3.0.0-rc.0

where HTTP "/storybook" endpoint is exposed to a public or other untrusted network.

Mitigation

All affected versions of Plausible Community Edition should be updated to v3.2.1 as soon as possible.

As an immediate mitigation, it is recommended to block access to HTTP "/storybook" endpoint in your reverse proxy configuration or via other applicable means.

Changes in this release

  • Remove HTTP "/storybook" endpoint along with the associated logic

No other changes are included in this release.

Check out latest releases or
releases around plausible/analytics v3.2.1

Don't miss a new analytics release

NewReleases is sending notifications on new releases.

Get notifications