CVE-2021-41163
published 2021-10-20CVE-2021-41163: Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
19.81%
97.1th percentile
Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. To workaround the issue without updating, requests with a path starting /webhooks/aws path could be blocked at an upstream proxy.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| discourse | discourse | < 2.7.9 | 2.7.9 |
| discourse | discourse | — | — |
| discourse | discourse | — | — |
| discourse | discourse | — | — |
| discourse | discourse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Discourse SNS Webhook RCE Inbound (CVE-2021-41163)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webhooks/aws"; nocase; fast_pattern; http.request_body; content:"|22|SubscribeURL|22 20 3a 20 22 7c|"; nocase; content:"|22|Signature|22 3a|"; nocase; reference:url,0day.click/recipe/discourse-sns-rce/; reference:cve,2021-41163; classtype:attempted-admin; sid:2034252; rev:1; metadata:attack_target Server, created_at 2021_10_25, cve CVE_2021_41163, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_10_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|22|SubscribeURL|22 20 3a 20 22 7c|
bytes
|22|Signature|22 3a|
- →Block or alert on inbound HTTP POST requests targeting the /webhooks/aws URI path on Discourse servers — this is the vulnerable SNS webhook endpoint exploited for RCE. ↗
- →Exploit traffic is unauthenticated; look for POST requests to /webhooks/aws containing both a 'SubscribeURL' field with a pipe character (indicating a command-injection payload) and a 'Signature' field in the request body.
- →The attack is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application) / TA0001 (Initial Access); tune perimeter and internal IDS/IPS deployments accordingly.
- →The vulnerability stems from lack of validation in subscribe_url values; any WAF/proxy rule should specifically inspect the SubscribeURL JSON field value for shell metacharacters or pipe characters. ↗
- ·The Snort/Suricata rule (sid:2034252) targets both perimeter and internal deployment zones, meaning the exploit can originate from external or already-compromised internal hosts — ensure the rule is applied in both contexts.
- ·Patching to the latest stable, beta, or tests-passed version of Discourse is the definitive fix; the /webhooks/aws block is only a workaround for unpatched instances. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
Suricata
ET EXPLOIT Discourse SNS Webhook RCE Inbound (CVE-2021-41163)
suricata·2021-10-25·CVSS 10.0
CVE-2021-41163 [CRITICAL] ET EXPLOIT Discourse SNS Webhook RCE Inbound (CVE-2021-41163)
ET EXPLOIT Discourse SNS Webhook RCE Inbound (CVE-2021-41163)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Discourse SNS Webhook RCE Inbound (CVE-2021-41163)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webhooks/aws"; nocase; fast_pattern; http.request_body; content:"|22|SubscribeURL|22 20 3a 20 22 7c|"; nocase; content:"|22|Signature|22 3a|"; nocase; reference:url,0day.click/recipe/discourse-sns-rce/; reference:cve,2021-41163; classtype:attempted-admin; sid:2034252; rev:1; metadata:attack_target Server, created_at 2021_10_25, cve CVE_2021_41163, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_10_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access,
No public exploits indexed.
https://github.com/discourse/discourse/commit/fa3c46cf079d28b086fe1025349bb00223a5d5e9https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwqhttps://github.com/discourse/discourse/commit/fa3c46cf079d28b086fe1025349bb00223a5d5e9https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwq
2021-10-20
Published