CISA warns of remote code execution vulnerability with Discourse | ...

Advisories

Discover Security Vulnerabilities News

CISA warns of remote code execution vulnerability with Discourse

CISA warns of remote code execution vulnerability with Discourse

The CISA recently urged developers to update Discourse versions 2.7.8 and earlier, warning of a critical remote code execution (RCE) vulnerability (CVE-2021-41163) discovered in the platform.

The issue was patched on Friday, and developers explained that CVE-2021-41163 involved "a validation bug in the upstream aws-sdk-sns gem" that could "lead to RCE in Discourse via a maliciously crafted request."

Developers noted that to work around the issue without updating, "requests with a path starting /webhooks/aws could be blocked at an upstream proxy."

The popular open source discussion platform attracts millions of users every month, prompting the message from CISA urging updates to be pushed through. 

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.