CVE-2022-36066: Discourse file upload bug could lead to RCE attacks

CVE-2022-36066

Recently, Discourse released patches for 4 vulnerabilities in its product, that could be exploited by remote attackers to take control of an affected system.

Discourse is a free and open-source Internet forum software. Features include support for categorization and tagging of discussions, configurable access control, live updates, expanding link previews, infinite scrolling, and real-time notifications. It allows for a high level of customizability via its plugin architecture and its theming system.

The most important of the bugs is a critical severity flaw in Discourse that could allow a remote authenticated attacker to upload arbitrary files.

Tracked as CVE-2022-36066 (CVSS score: 9.1), the vulnerability is triggered due to the improper validation of archive contents. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to upload a malicious Zip or Gzip Tar archive file, which could allow the attacker to execute arbitrary code on the vulnerable system.

“Admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution,”  read the security advisory.

CVE-2022-36066 affects Discourse stable version <= 2.8.8, beta <= 2.9.0.beta9 and tests-passed <= 2.9.0.beta9. Users can update to the latest patched version: stable >= 2.8.9; beta >= 2.9.0.beta10; tests-passed >= 2.9.0.beta10.

Another high-risk flaw patched is a security bypass flaw (CVE-2022-36068, CVSS score: 7.2). This bug was caused by missing authorization in the API. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authorization and create new and edit existing themes.

Lastly, Discourse also patched two severity flaws (CVE-2022-39226 and CVE-2022-39232) that cause issues for other users when loading that profile or crash the current page in the browser.

Users running older versions of Discourse are required to upgrade to receive the latest protections and the relevant fixes.