Home > Vulnerability Database > CVE-2022-36066

Mend.io Vulnerability Database

CVE-2022-36066

Date: September 29, 2022

Discourse is an open source discussion platform. In versions prior to 2.8.9 on the "stable" branch and prior to 2.9.0.beta10 on the "beta" and "tests-passed" branches, admins can upload a maliciously crafted Zip or Gzip Tar archive to write files at arbitrary locations and trigger remote code execution. The problem is patched in version 2.8.9 on the "stable" branch and version 2.9.0.beta10 on the "beta" and "tests-passed" branches. There are no known workarounds.

Language: Ruby

Severity Score

9.1

Related Resources (5)

Url: https://github.com/discourse/discourse/pull/18421

Url: https://github.com/discourse/discourse/security/advisories/GHSA-grvh-qcpg-hfmv

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-36066

Url: https://github.com/discourse/discourse/commit/b27d5626d208a22c516a0adfda7554b67b493835

Url: https://www.mend.io/vulnerability-database/CVE-2022-36066

Severity Score

9.1

Weakness Type (CWE)

Unrestricted Upload of File with Dangerous Type

CWE-434

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-36066

Date: September 29, 2022

Language: Ruby

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?