CVE-2022-36066 Information

Description

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the stable branch and prior to 2.9.0.beta10 on the beta and tests-passed branches admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution. The problem is patched in version 2.8.9 on the stable branch and version 2.9.0.beta10 on the beta and tests-passed branches. There are no known workarounds.

Reference

https://github.com/discourse/discourse/pull/18421 https://github.com/discourse/discourse/security/advisories/GHSA-grvh-qcpg-hfmv https://github.com/discourse/discourse/commit/b27d5626d208a22c516a0adfda7554b67b493835