Vulnerability Description
Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. To workaround the issue without updating, requests with a path starting /webhooks/aws path could be blocked at an upstream proxy.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 2.7.9 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse/commit/fa3c46cf079d28b086fe1025349bb00223PatchThird Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwqThird Party Advisory
- https://github.com/discourse/discourse/commit/fa3c46cf079d28b086fe1025349bb00223PatchThird Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwqThird Party Advisory
FAQ
What is CVE-2021-41163?
CVE-2021-41163 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscri...
How severe is CVE-2021-41163?
CVE-2021-41163 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-41163?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.