CVE-2021-41163
high-risk
Published 2021-10-20
Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. To workaround the issue without updating, requests with a path starting /webhooks/aws path could be blocked at an upstream proxy.
Do I need to act?
~
3.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: a1dcf3a50cdc69a33e7174eb23e2415fc32de79f, fa3c46cf079d28b086fe1025349bb00223a5d5e9
10
CVSS 10.0/10
Critical
NETWORK
/ LOW complexity
Affected Vendors
References (4)
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwq
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwq
54
/ 100
high-risk
Severity
33/34 · Critical
Exploitability
7/34 · Low
Exposure
14/34 · Moderate