Developers of Discourse, a popular open source forum software announced to have patched a critical security flaw that could result in attack on remote code execution (RCE) on vulnerable systems.
The critical bug (CVE-2021-41163) that affects Discourse versions 2.7.8 and earlier, is found to have been triggered through a malicious Amazon SNS subscription payload. The root cause was identified from a validation bug in the upstream aws-sdk-sns gem, Discourse’s AWS notification webhook handler.
This lack of validation in subscribe_url values makes it vulnerable to RCE through malicious requests.
Users are advised to update to Discourse versions 2.7.9 or later. “This issue is patched in the latest stable, beta and tests-passed versions of Discourse,” says an alert on GitHub.
It also points out to an alternative workaround offering some protection by blocking requests with a path starting /webhooks/aws at an upstream proxy.
The critical vulnerability, discovered by security researcher ‘joernchen’, has detailed
it on his blog.