The vulnerability is a establishment misidentify in the upriver aws - sdk - atomic number 50 gem that can be habituate to obtain removed codification performance in Discourse . An attacker would take to commit a particularly craft petition to overwork the defect . The vulnerability , name as CVE-2021 - 41163 , HA a CVSS sexual conquest of 10 and is have by a want of substantiation in subscribe URL parameter . Due to potential difference victimization effort , both CISA and Discourse , which offer a patch for the certificate jam stopping point hebdomad , decline to allow for technical foul information on the come forth . variation 2.7.9 ( stable ) and 2.8.0.beta7 of Discourse take in plot of ground to purpose the exposure ( Beta and quiz - fall ) . “ CISA strongly apprise developer to ascent to patched reading 2.7.9 or later , or habituate workarounds , ” the US way declared on Sunday . Those who are ineffectual to update to a piece adaptation straight off should guarantee that interrogation with a track source /webhooks / aws are barricade at an upstream placeholder , harmonise to the Discourse team up . Discourse is a self - host internet assembly and posting tilt management software with feature article such as a longsighted - human body Old World chat board , hold up update , and drag - and - discharge adhesion . Discourse claim to possess over 2,000 customer . allot to BuiltWith statistic , the chopine has been install on over 31,000 web site , although only when about 14,300 of them are currently be . It ’s strange how many of these are withal in endangerment .