CVE-2021-41163

Опубликовано: 20 окт. 2021

Источник: nvd

CVSS3: 10

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. To workaround the issue without updating, requests with a path starting /webhooks/aws path could be blocked at an upstream proxy.

Ссылки

https://github.com/discourse/discourse/commit/fa3c46cf079d28b086fe1025349bb00223a5d5e9
Patch
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwq
Third Party Advisory
https://github.com/discourse/discourse/commit/fa3c46cf079d28b086fe1025349bb00223a5d5e9
Patch
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwq
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*

Версия до 2.7.9 (исключая)

cpe:2.3:a:discourse:discourse:2.8.0:beta1:*:*:*:*:*:*

cpe:2.3:a:discourse:discourse:2.8.0:beta2:*:*:*:*:*:*

cpe:2.3:a:discourse:discourse:2.8.0:beta3:*:*:*:*:*:*

cpe:2.3:a:discourse:discourse:2.8.0:beta4:*:*:*:*:*:*

cpe:2.3:a:discourse:discourse:2.8.0:beta5:*:*:*:*:*:*

cpe:2.3:a:discourse:discourse:2.8.0:beta6:*:*:*:*:*:*

EPSS

Процентиль: 88%

0.03651

Низкий

10 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-74

EPSS

Процентиль: 88%

0.03651

Низкий

10 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-74