CVE-2024-53991: 
NixOS vulnerability analysis and mitigation

Discourse, an open source platform for community discussion, disclosed a vulnerability (CVE-2024-53991) on December 19, 2024. This vulnerability specifically affects Discourse instances configured to use FileStore::LocalStore, where uploads and backups are stored locally on disk. The vulnerability allows an attacker who knows the name of a Discourse backup file to trick nginx into sending the backup file through a well-crafted request (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability can be exploited remotely (Network), requires low attack complexity, needs no privileges, requires no user interaction, has unchanged scope, and can result in high confidentiality impact without affecting integrity or availability (GitHub Advisory).

The primary impact of this vulnerability is the potential exposure of sensitive information contained in backup files. If successfully exploited, an attacker could access complete backup files of the Discourse installation, which typically contain user data, configuration settings, and other sensitive information (GitHub Advisory).

The issue has been patched in the latest stable, beta, and tests-passed versions of Discourse. For users unable to upgrade immediately, two workaround options are available: 1) Download all local backups to another storage device, disable the enable_backups site setting, and delete all backups until the site can be upgraded, or 2) Change the backup_location site setting to s3 so that backups are stored and downloaded directly from S3 (GitHub Advisory).