Over the weekend, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a serious vulnerability notice for the open source conversation platform Discourse.
The vulnerability is a validation mistake in the upstream aws-sdk-sns gem that can be used to obtain remote code execution in Discourse. An attacker would need to send a specially crafted request to exploit the flaw.
The vulnerability, identified as CVE-2021-41163, has a CVSS score of 10 and is caused by a lack of validation in subscribe url parameters.
Versions 2.7.9 (stable) and 2.8.0.beta7 of Discourse have patches to resolve the vulnerability (beta and tests-passed).
“CISA strongly advises developers to upgrade to patched versions 2.7.9 or later, or use workarounds,” the US agency stated on Sunday.
Those who are unable to update to a patched version immediately should ensure that queries with a path beginning /webhooks/aws are blocked at an upstream proxy, according to the Discourse team.
Discourse is a self-hosted Internet forum and mailing list management software with features such as a long-form chat room, live updates, and drag-and-drop attachments.
Discourse claims to have over 2,000 customers. According to BuiltWith statistics, the platform has been installed on over 31,000 websites, although only about 14,300 of them are currently live. It’s unknown how many of these are still in jeopardy.