CVE-2022-36066

Discourse vulnerable to RCE via admins uploading maliciously zipped file

CVSS 9.1 CRITICALEPSS 1.6%CWE-434

In short

Discourse administrators can upload specially crafted ZIP or Gzip Tar files that allow writing files anywhere on the server and executing arbitrary code. This is a critical vulnerability that gives attackers with admin access complete control over the system.

Technical detail

CWE-434 arbitrary file upload vulnerability in Discourse versions prior to 2.8.9 (stable) and 2.9.0.beta10 (beta/tests-passed). Admin users can upload maliciously crafted compressed archives to write files at arbitrary filesystem locations, leading to remote code execution. The vulnerability requires admin privileges but lacks validation of archive contents during extraction.

Summary generated and translated by AI from the official description.

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution. The problem is patched in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected products

discourse · discourse

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/discourse/discourse/commit/b27d5626d208a22c516a0adfda7554b67b493835 https://github.com/discourse/discourse/pull/18421 https://github.com/discourse/discourse/security/advisories/GHSA-grvh-qcpg-hfmv