HomeAudienceDevelopersDiscourse Fixes Critical Vulnerability in Forum Software

Discourse Fixes Critical Vulnerability in Forum Software

- Advertisement -

Developers of Discourse, a popular open source forum software announced to have patched a critical security flaw that could result in attack on remote code execution (RCE) on vulnerable systems.

The critical bug (CVE-2021-41163) that affects Discourse versions 2.7.8 and earlier, is found to have been triggered through a malicious Amazon SNS subscription payload. The root cause was identified from a validation bug in the upstream aws-sdk-sns gem, Discourse’s AWS notification webhook handler.

This lack of validation in subscribe_url values makes it vulnerable to RCE through malicious requests.

- Advertisement -

Users are advised to update to Discourse versions 2.7.9 or later. “This issue is patched in the latest stable, beta and tests-passed versions of Discourse,” says an alert on GitHub.

It also points out to an alternative workaround offering some protection by blocking requests with a path starting /webhooks/aws at an upstream proxy.

The critical vulnerability, discovered by security researcher ‘joernchen’, has detailed
it on his blog.

 

- Advertisement -

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Thought Leaders

Open Journey

- Advertisement -

MOST POPULAR