Local File Exposure Vulnerability in Discourse Community Platform

CVE-2024-53991

Summary

CVE-2024-53991 is a critical local file exposure vulnerability that affects instances of the Discourse community discussion platform, specifically those configured to use FileStore::LocalStore for local uploads and backups. This vulnerability allows an attacker who knows the name of a Discourse backup file to craft a malicious request, effectively tricking the web server (nginx) into serving the sensitive backup files directly. To mitigate this risk, it is vital for users to upgrade to the latest stable, beta, or tests-passed Discourse versions. For users unable to perform the upgrade immediately, it is recommended to either back up local files to an external storage device, disable backup functionality, or change backup storage settings to Amazon S3 to enhance security.

References