CVE-2024-53991

Name of the Vulnerable Software and Affected Versions: Discourse versions prior to 3.3.3

Description: This issue affects Discourse instances configured to use FileStore::LocalStore, where uploads and backups are stored locally on disk. If an attacker knows the name of the Discourse backup file, they can trick nginx into sending the Discourse backup file with a well-crafted request. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations: For Discourse versions prior to 3.3.3, update to stable 3.3.3, beta 3.4.0.beta4, or tests-passed 3.4.0.beta4 to safeguard your data. As a temporary workaround, consider downloading all local backups to another storage device, disabling the enable backups site setting, and deleting all backups until the site has been upgraded to pull in the fix. Alternatively, change the backup location site setting to s3 so that backups are stored and downloaded directly from S3.