Discourse’s Remote Code Execution (RCE) Vulnerability Should be Patched Immediately

A critical Discourse remote code execution (RCE) vulnerability, tracked as CVE-2021-41163, was remedied after the developer released a security update last week. The vulnerability can be exploited in Discourse versions 2.7.8 and earlier and thus users are urged to update to patched versions 2.7.9 or later. Discourse is an open-source platform for community discussion. In unpatched versions of Discourse, maliciously crafted requests can lead to remote code executions because of a lack of validation in “subscribe_url” values. “The implications of a CVE-2021-41163 exploit and the ease of leveraging it (sending an unauthenticated POST) result in a CVSS v3 score of 10.0 (critical), so patching it should be treated as an emergency,” according to BleepingComputer. And CISA “urges developers” to apply the patch. To date, there have been no observed exploitations of this vulnerability. For more technical information read the full advisory from the National Institute of Standards and Technology or access a relevant article at BleepingComputer.