Discourse is a popular open-source Internet forum and mailing list management software application. The US CISA published a security advisory to urge administrators to fix a critical remote code execution flaw, tracked as CVE-2021-41163, in Discourse installs. The vulnerability received a CVSS v3 score of 10.0.
“Discourse—an open source discussion platform—has released a security advisory to address a critical remote code execution (RCE) vulnerability (CVE-2021-41163) in Discourse versions 2.7.8 and earlier.” reads the advisory published by the researchers.
CISA recommends development teams install versions 2.7.9 or later that address the vulnerability, or apply the necessary workarounds.
Discourse also published an advisory about the issue, the flaw is a validation bug in the upstream as-SDK-Sns gem that can lead to the RCE. An attacker could exploit the vulnerability via a maliciously crafted request.
The CVE-2021-41163 has been addressed in the latest stable, beta and tests-passed versions of Discourse. The development team recommends to block at an upstream proxy every request with a path starting /webhooks/aws.
“In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. To workaround the issue without updating, requests with a path starting /webhooks/aws path could be blocked at an upstream proxy.” reads the advisory published by the NIST.
A quick search of Discourse installs using the Shodan search engine reveals the existence of 8,639 potentially exploitable systems, most of them in the US.
(SecurityAffairs – hacking, CVE-2021-41163)