Security Notices

2021-10-21 Discourse: RCE via malicious SNS subscription payload

A validation bug in the upstream aws-sdk-sns Ruby gem can lead to Remote Code Execution (RCE) in Discourse via a maliciously crafted request, see CVE-2021-41162.

Affected versions

The following are the versions affected by this bug:

  • stable: 2.7.8
  • beta: 2.8.0.beta6
  • tests-passed: 2.8.0.beta6

How to patch it

These are the versions that have been patched, please update your deployment to run any of the following versions:

  • stable: 2.7.9
  • beta: 2.8.0.beta7
  • tests-passed: 2.8.0.beta7

| IMPORTANT: If you want to work around the issue without updating the Discourse version, requests with a path starting /webhooks/aws could be blocked at an upstream proxy.

The Bitnami team already released the new version of Discourse for all the supported platforms (virtual machine, cloud image, container and Helm Chart).

Do you have more questions? You can open an issue. If you have deployed a container or Helm chart, please open an issue here. Our support team will happy to help you there.

Last modification June 29, 2022