cbcvebase.
CVE-2021-41163
published 2021-10-20

CVE-2021-41163: Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
19.81%
97.1th percentile
Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. To workaround the issue without updating, requests with a path starting /webhooks/aws path could be blocked at an upstream proxy.

Affected

5 ranges
VendorProductVersion rangeFixed in
discoursediscourse< 2.7.92.7.9
discoursediscourse
discoursediscourse
discoursediscourse
discoursediscourse

Detection & IOCsextracted from sources · hover to see the quote

path/webhooks/aws
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Discourse SNS Webhook RCE Inbound (CVE-2021-41163)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webhooks/aws"; nocase; fast_pattern; http.request_body; content:"|22|SubscribeURL|22 20 3a 20 22 7c|"; nocase; content:"|22|Signature|22 3a|"; nocase; reference:url,0day.click/recipe/discourse-sns-rce/; reference:cve,2021-41163; classtype:attempted-admin; sid:2034252; rev:1; metadata:attack_target Server, created_at 2021_10_25, cve CVE_2021_41163, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_10_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|22|SubscribeURL|22 20 3a 20 22 7c|
bytes
|22|Signature|22 3a|
  • Block or alert on inbound HTTP POST requests targeting the /webhooks/aws URI path on Discourse servers — this is the vulnerable SNS webhook endpoint exploited for RCE.
  • Exploit traffic is unauthenticated; look for POST requests to /webhooks/aws containing both a 'SubscribeURL' field with a pipe character (indicating a command-injection payload) and a 'Signature' field in the request body.
  • The attack is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application) / TA0001 (Initial Access); tune perimeter and internal IDS/IPS deployments accordingly.
  • The vulnerability stems from lack of validation in subscribe_url values; any WAF/proxy rule should specifically inspect the SubscribeURL JSON field value for shell metacharacters or pipe characters.
  • ·The Snort/Suricata rule (sid:2034252) targets both perimeter and internal deployment zones, meaning the exploit can originate from external or already-compromised internal hosts — ensure the rule is applied in both contexts.
  • ·Patching to the latest stable, beta, or tests-passed version of Discourse is the definitive fix; the /webhooks/aws block is only a workaround for unpatched instances.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.