2021-10-21 Discourse: RCE via malicious SNS subscription payload
The following are the versions affected by this bug:
- stable: 2.7.8
- beta: 2.8.0.beta6
- tests-passed: 2.8.0.beta6
How to patch it
These are the versions that have been patched, please update your deployment to run any of the following versions:
- stable: 2.7.9
- beta: 2.8.0.beta7
- tests-passed: 2.8.0.beta7
| IMPORTANT: If you want to work around the issue without updating the Discourse version, requests with a path starting /webhooks/aws could be blocked at an upstream proxy.
The Bitnami team already released the new version of Discourse for all the supported platforms (virtual machine, cloud image, container and Helm Chart).