Headline
CVE-2022-39241: Insufficient Server Side Request Forgery protections
Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a workaround, self-hosters can use DISCOURSE_BLOCKED_IP_BLOCKS env var (which overrides blocked_ip_blocks setting) to stop webhooks from accessing private IPs.
Impact
Insufficient protections could enable attackers to trigger outbound network connections from the Discourse server to private IP addresses.
End-users could trigger HTTP GET requests to private IPs, but would not be able to obtain detailed information about the response.
Forum administrators could trigger HTTP GET / POST to private IPs, and view information about the response. They could also trigger a git clone to private IPs using the HTTP or SSH protocol, but would not be able to view the response unless it was a Discourse Theme repository.
The high severity of this advisory reflects the worst-case scenario where admins are untrusted, and there are sensitive services on the internal network. This may be true in some deployments (e.g. shared hosting environments). But for the majority of self-hosters following our standard install, admins are trusted and so the impact is much lower.
Patches
Latest stable, beta, and test-passed versions are now patched.
Workarounds
Apply protections at the network level.