BIT-discourse-2022-36066

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2022-36066.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-discourse-2022-36066

Aliases

CVE-2022-36066
GHSA-grvh-qcpg-hfmv

Published

2024-03-06T11:05:00.775Z

Modified

2025-10-08T05:26:56.295377Z

Summary

Discourse vulnerable to RCE via admins uploading maliciously zipped file

Details

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable branch and prior to 2.9.0.beta10 on the beta and tests-passed branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution. The problem is patched in version 2.8.9 on the stable branch and version 2.9.0.beta10 on the beta and tests-passed branches. There are no known workarounds.

Database specific

{
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / discourse

Package

Name: discourse
Purl: pkg:bitnami/discourse

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.8.9