Friday, October 22, 2021

Critical Security Issue - Discourse: Remote Code Execution via Malicious SNS Subscription Payload

A validation bug in the upstream aws-sdk-sns Ruby gem can lead to Remote Code Execution (RCE) in Discourse via a maliciously crafted request, see CVE-2021-41162.

The following are the versions affected by this bug: 

  • stable: 2.7.8
  • beta: 2.8.0.beta6
  • tests-passed: 2.8.0.beta6

The Bitnami team already released a new version of Discourse for all the supported platforms: virtual machine, cloud image, container, and Helm Charts.

Update your deployments to run any of the following versions:

  •  stable: 2.7.9
  •  beta: 2.8.0.beta7
  •  tests-passed: 2.8.0.beta7

Please refer to the following Security Advisory to learn more.