Maliciously zipped file uploaded by admins can trigger an RCE
Package
Discourse
(Discourse)
Affected versions
stable <= 2.8.8; beta <= 2.9.0.beta9; tests-passed <= 2.9.0.beta9
Patched versions
stable >= 2.8.9; beta >= 2.9.0.beta10; tests-passed >= 2.9.0.beta10
Impact
Admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution.
Patches
The problem is patched in the latest tests-passed, beta and stable versions of Discourse.
Workarounds
None.