← Back

CVE-2022-36066

nvd nist
Published: Sep 29, 2022Modified: Nov 21, 2024

JSON object

Loading...
7.2
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.2 / Impact: 5.9
Source: NVD

Description

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution. The problem is patched in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds.

Affected (10)

Products: Discourse: Discourse
Discourse
1 product
Discourse
Configuration A
10 vulnerable
Vulnerable SoftwareAffected Versions
Discourse
Discourse
Before 2.8.9
Discourse
Version 2.9.0 beta1
Discourse
Version 2.9.0 beta2
Discourse
Version 2.9.0 beta3
Discourse
Version 2.9.0 beta4
Discourse
Version 2.9.0 beta5
Discourse
Version 2.9.0 beta6
Discourse
Version 2.9.0 beta7
Discourse
Version 2.9.0 beta8
Discourse
Version 2.9.0 beta9

Related CWEs

CWE-434
Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (6)

Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.