Skip to content

RCE via malicious SNS subscription payload

Critical
ZogStriP published GHSA-jcjx-pvpc-qgwq Oct 20, 2021

Package

Discourse (Discourse)

Affected versions

stable <= 2.7.8; beta <= 2.8.0.beta6; tests-passed <= 2.8.0.beta6

Patched versions

stable >= 2.7.9; beta >= 2.8.0.beta7; tests-passed >= 2.8.0.beta7

Description

Impact

A validation bug in the upstream aws-sdk-sns gem can lead to RCE in Discourse via a maliciously crafted request.

Patches

This issue is patched in the latest stable, beta and tests-passed versions of Discourse.

Workarounds

To workaround the issue without updating, requests with a path starting /webhooks/aws could be blocked at an upstream proxy.

Severity

Critical
10.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2021-41163

Weaknesses

Credits