Discourse is one of the most popular open-source community forums and mailing list management software applications. A critical code execution vulnerability has been identified in Discourse, allowing an attacker to execute arbitrary code on the affected system. This vulnerability has been recognized with CVE-2021-41163. The NIST has not calculated the severity score, but this flaw is considered to be of Critical severity as it allows unauthenticated RCE on the affected systems. Due to the widespread use of Discourse, CISA (Certified Information Systems Auditor) has also published an alert asking administrators to update Discourse to the latest patched versions.
Vulnerability Details
The vulnerability lies in the AWS notification webhook handler due to a validation bug in subscribe_url as shown below. It does not require any authentication and can be triggered by an attacker using https://somedicourseinstance/webhooks/aws request.
A PoC code is also available for this vulnerability. It is based on the same factor where attacker-supplied input is passed to the open() function leading to OS command execution.
Affected
Discourse stable versions 2.7.8 and prior.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected system.
Solution
The vendor has released a patch for this vulnerability. It has been fixed in Discourse stable version 2.7.9 and later. If updating Discourse is not possible, users are advised to block requests with a path starting /webhooks/aws using some additional security tools.
SanerNow VM detects these vulnerabilities. We strongly recommend applying the security updates for this vulnerability on high priority.