CVE-2024-53991
📋 TL;DR
This vulnerability allows attackers to download Discourse backup files through nginx misconfiguration when using local storage. Only Discourse instances configured with FileStore::LocalStore for uploads/backups are affected. Attackers need to know the backup filename to exploit this information disclosure vulnerability.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of sensitive backup data including user information, private messages, and potentially database credentials, leading to data breach and credential theft.
Likely Case
Unauthorized access to backup files containing user data, configuration details, and potentially sensitive information from the Discourse instance.
If Mitigated
No data exposure if backups are stored externally or proper access controls prevent unauthorized requests.
🎯 Exploit Status
Exploitation requires attacker to know or guess backup filename patterns. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest stable, beta, and tests-passed versions
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-567m-82f6-56rv
Restart Required: Yes
Instructions:
1. Update Discourse to latest stable/beta/tests-passed version. 2. Restart Discourse application. 3. Verify backup functionality works correctly.
🔧 Temporary Workarounds
Disable local backups
linuxTemporarily disable backups and remove existing local backup files
rails runner "SiteSetting.enable_backups = false"
rm -rf /var/discourse/shared/standalone/backups/*
Switch to S3 storage
allChange backup storage location to Amazon S3
rails runner "SiteSetting.backup_location = 's3'"
🧯 If You Can't Patch
- Download all local backups to secure storage, disable enable_backups setting, and delete all local backup files
- Change backup_location setting to 's3' to store backups externally
🔍 How to Verify
Check if Vulnerable:
Check if using FileStore::LocalStore and if backups are stored locally. Review nginx configuration for backup file access patterns.Check Version:
cd /var/discourse && ./launcher status appVerify Fix Applied:
After upgrade, attempt to access backup files via crafted URLs that previously worked. Verify backups are now properly protected.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to backup file paths in nginx logs
- Patterns of requests attempting to access known backup filenames
Network Indicators:
- HTTP requests to backup file paths without proper authentication
- Unusual download patterns of large backup files
SIEM Query:
web_access_logs WHERE url_path CONTAINS 'backup' AND (response_code = 200 OR response_code = 206) AND user_agent NOT IN expected_backup_clients