9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
0.01 Low
EPSS
Percentile
83.7%
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable
branch and prior to 2.9.0.beta10 on the beta
and tests-passed
branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution. The problem is patched in version 2.8.9 on the stable
branch and version 2.9.0.beta10 on the beta
and tests-passed
branches. There are no known workarounds.
[
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "< 2.8.9"
},
{
"status": "affected",
"version": ">= 2.9.0.beta0, < 2.9.0.beta10"
}
]
}
]
More