Vulnerabilities > CVE-2022-36066 - Unspecified vulnerability in Discourse
Attack vector
NETWORK Attack complexity
LOW Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution. The problem is patched in version 2.8.9 on the `stable` branch and version 2.9.0.beta10 on the `beta` and `tests-passed` branches. There are no known workarounds.
Vulnerable Configurations
References
- https://github.com/discourse/discourse/commit/b27d5626d208a22c516a0adfda7554b67b493835
- https://github.com/discourse/discourse/commit/b27d5626d208a22c516a0adfda7554b67b493835
- https://github.com/discourse/discourse/pull/18421
- https://github.com/discourse/discourse/pull/18421
- https://github.com/discourse/discourse/security/advisories/GHSA-grvh-qcpg-hfmv
- https://github.com/discourse/discourse/security/advisories/GHSA-grvh-qcpg-hfmv