Hi,
I’m getting messages from our central IT complaining that our Discourse instance is triggering a security warning on CVE-2021-41163, which regards the /webhooks/aws endpoint.
I’ve told them that we’ve kept the software up to date since 2021 (we do a “launcher app rebuild” every month automatically) but their scanner is still flagging it as a problem. It’s convinced we’re running a version before 2.7.8 (2021), but we’re on 2026.01.0-latest. So I’m pretty sure their scanner is just mis-parsing the version string, or detecting the existence of the endpoint and complaining about that.
I’m 99% sure it’s not a problem, but I need to convince them of that.
Is there a clean way of disabling the AWS webhooks endpoint without having to tweak discourse.conf? That would probably mollify them.
Of course there’s always that 1% possibility that we’re NOT patched, in which case, I’d be happy to have some way of testing that. I did some grepping through git log but I don’t see a specific reference to that CVE.
Advice?
