2021-10-21 Discourse: RCE via malicious SNS subscription payload
The following are the versions affected by this bug:
- stable: 2.7.8
- beta: 2.8.0.beta6
- tests-passed: 2.8.0.beta6
How to patch it
These are the versions that have been patched, please update your deployment to run any of the following versions:
- stable: 2.7.9
- beta: 2.8.0.beta7
- tests-passed: 2.8.0.beta7
| IMPORTANT: If you want to work around the issue without updating the Discourse version, requests with a path starting /webhooks/aws could be blocked at an upstream proxy.
The Bitnami team already released the new version of Discourse for all the supported platforms (virtual machine, cloud image, container and Helm Chart).
Do you have more questions? Please post to our community forum in case you are running a Discourse cloud image, installer, or virtual machine. If you have deployed a container or Helm chart, please open an issue in the Bitnami GitHub repository. Our support team will happy to help you there.