v3.2.1

[cnkk]

Security related update

This patch release fixes a security vulnerability affecting the following versions of Plausible Community Edition (image: ghcr.io/plausible/community-edition):
Tags:

• v3.2
• v3.2.0
• v3
• v3.2.0-rc.0
• v3.1
• v3.1.0
• v3.1.0-rc.1
• v3.1.0-rc.0
• v3.0.1
• v3.0
• v3.0.0
• v3.0.0-rc.6
• v3.0.0-rc.5
• v3.0.0-rc.4
• v3.0.0-rc.3
• v3.0.0-rc.2
• v3.0.0-rc.1
• v3.0.0-rc.0

The affected versions expose a HTTP "/storybook" endpoint which, under certain conditions, allows remote code execution with privileges of system user running the application.

This release v3.2.1 of Plausible Community Edition completely removes that endpoint.

Who is affected?

All deployments of Plausible Community Edition running the following versions:

• v3.2
• v3.2.0
• v3
• v3.2.0-rc.0
• v3.1
• v3.1.0
• v3.1.0-rc.1
• v3.1.0-rc.0
• v3.0.1
• v3.0
• v3.0.0
• v3.0.0-rc.6
• v3.0.0-rc.5
• v3.0.0-rc.4
• v3.0.0-rc.3
• v3.0.0-rc.2
• v3.0.0-rc.1
• v3.0.0-rc.0

where HTTP "/storybook" endpoint is exposed to a public or other untrusted network.

Mitigation

All affected versions of Plausible Community Edition should be updated to v3.2.1 as soon as possible.

As an immediate mitigation, it is recommended to block access to HTTP "/storybook" endpoint in your reverse proxy configuration or via other applicable means.

Changes in this release

• Remove HTTP "/storybook" endpoint along with the associated logic

No other changes are included in this release.

---

This discussion was created from the release v3.2.1.