Admins who use the open source software Discourse on their servers to manage Internet forums and mailing lists should update them as soon as possible: The developers have closed a security hole classified as critical, which, according to the description, can be used to execute code remotely without prior authentication (Remote Code Execution ) could have been abused.
Of the Entry for CVE-2021-41163 in the National Vulnerability Database assigns a CVSS score of 9.8 out of a possible 10 to the vulnerability. It is based on inadequate validation mechanisms in “subscribe_url” values and can be attacked using a specially prepared request. In a safety notice the US agency CISA urgently advises applying the update or one of the workarounds suggested by the developers.
Technical details on CVE-2021-41163 are one detailed description of the gap discoverer refer to. Nothing is known about attacks in the wild.
Vulnerable versions, update & workaround
According to Update notice from the Discourse developers the current stable, beta and “tests-passed” versions of the software are secured. They cite stable versions up to and including 2.7.8 as well as beta and tests-passed up to and including 2.8.0.beta6 as vulnerable. The security hole has been removed from versions 2.7.9 and 2.8.0.beta7 and up.
Alternatively, the developers suggest using an upstream proxy to block requests that start with the path “/ webhooks / aws” as a workaround.