Skip to content

Maliciously zipped file uploaded by admins can trigger an RCE

Critical
jomaxro published GHSA-grvh-qcpg-hfmv Sep 29, 2022

Package

Discourse (Discourse)

Affected versions

stable <= 2.8.8; beta <= 2.9.0.beta9; tests-passed <= 2.9.0.beta9

Patched versions

stable >= 2.8.9; beta >= 2.9.0.beta10; tests-passed >= 2.9.0.beta10

Description

Impact

Admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution.

Patches

The problem is patched in the latest tests-passed, beta and stable versions of Discourse.

Workarounds

None.

Severity

Critical
9.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2022-36066

Weaknesses

No CWEs