What is the severity of CVE-2021-41163?

CVE-2021-41163 has been classified as a critical vulnerability due to its potential to enable remote code execution.

How do I fix CVE-2021-41163?

To fix CVE-2021-41163, upgrade Discourse to the latest stable version or any of the patched beta versions.

What types of Discourse versions are affected by CVE-2021-41163?

CVE-2021-41163 affects Discourse versions prior to 2.7.9 and several 2.8.0 beta versions.

What is the impact of CVE-2021-41163?

The impact of CVE-2021-41163 is that it allows attackers to execute arbitrary code on the server.

Is there a workaround for CVE-2021-41163?

There are no specific workarounds for CVE-2021-41163; upgrading to a patched version is the recommended solution.

Vulnerability/
CVE-2021-41163

critical

CWE

20/10/2021

21/11/2024

CVE-2021-41163: RCE via malicious SNS subscription payload

First published: Wed Oct 20 2021(Updated: )

Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. To workaround the issue without updating, requests with a path starting /webhooks/aws path could be blocked at an upstream proxy.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse	<2.7.9
Discourse	=2.8.0-beta1
Discourse	=2.8.0-beta2
Discourse	=2.8.0-beta3
Discourse	=2.8.0-beta4
Discourse	=2.8.0-beta5
Discourse	=2.8.0-beta6

Remedy

https://github.com/discourse/discourse/commit/fa3c46cf079d28b086fe1025349bb00223a5d5e9

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2021-41163?
CVE-2021-41163 has been classified as a critical vulnerability due to its potential to enable remote code execution.
How do I fix CVE-2021-41163?
To fix CVE-2021-41163, upgrade Discourse to the latest stable version or any of the patched beta versions.
What types of Discourse versions are affected by CVE-2021-41163?
CVE-2021-41163 affects Discourse versions prior to 2.7.9 and several 2.8.0 beta versions.
What is the impact of CVE-2021-41163?
The impact of CVE-2021-41163 is that it allows attackers to execute arbitrary code on the server.
Is there a workaround for CVE-2021-41163?
There are no specific workarounds for CVE-2021-41163; upgrading to a patched version is the recommended solution.

agent/references
agent/type
collector/mitre-cve
source/MITRE
agent/remedy
agent/severity
agent/title
agent/weakness
agent/first-publish-date
agent/description
agent/last-modified-date
agent/author
agent/softwarecombine
agent/event
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/nvd-index
vendor/discourse
canonical/discourse
version/discourse/2.8.0-beta1
version/discourse/2.8.0-beta2
version/discourse/2.8.0-beta3
version/discourse/2.8.0-beta4
version/discourse/2.8.0-beta5
version/discourse/2.8.0-beta6

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.