In a statement, the Cybersecurity and Infrastructure Security Agency (CISA) warned of a critical security flaw in Discourse, an open source discussion platform. According to the report, the flaw resides in the upstream gem aws-sdk-sns and is described as a validation error whose exploitation would allow remote code execution through a specially crafted request.
As some users may know, Discosure is a software solution for managing mailing lists and Internet forums and controlling long-form chat rooms, as well as providing live updates and attachment functionality.
The flaw was tracked as CVE-2021-41163 and received a score of 10/10 according to the Common Vulnerability Scoring System (CVSS). Both CISA and Discourse point out that the flaw exists due to insufficient validation of the values subscribe_url. The developers released a patch and refused to share additional technical details due to the possibility of active exploitation.
This bug was fixed in Discourse versions 2.7.9 and 2.8.0.beta7, so developers should upgrade to any of these versions to fully mitigate the security risks associated with the flaw. In case you cannot upgrade right now, users are encouraged to implement a block of any request that begins with the /webhooks/aws prefix in an upstream proxy.
According to developers, Discourse has more than 14,000 active installations worldwide, although it’s hard to know exactly how many users might be affected by this flaw.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.