We need to talk about lack of validation

Discourse has plugged a critical vulnerability in its platform

Developers of Discourse, the popular open source forum software, have patched a security flaw that could result in an attacker achieving remote code execution (RCE) on vulnerable systems.

The critical bug (CVE-2021-41163), which affects Discourse versions 2.7.8 and earlier, is triggered through a malicious Amazon SNS subscription payload.

The root cause of the problem stems from a validation bug in the upstream aws-sdk-sns gem, Discourse’s AWS notification webhook handler.

This lack of validation in subscribe_url values makes it possible for an attacker to achieve RCE through malicious requests.

Read more of the latest security vulnerability news

Users are advised to update to Discourse versions 2.7.9 or later, where possible.

An alternative workaround offering some protection is possible by blocking requests with a path starting /webhooks/aws at an upstream proxy, as explained in a security alert posted to GitHub.

The critical vulnerability, discovered by security researcher with the handle ‘joernchen’, is described in a greater detail in a technical blog post.

YOU MAY ALSO LIKE Node.js sandboxes are open to prototype pollution