Just leaving this here, in case people run Nginx with the vulnerable rewrite patterns and vulnerable software.
TL;DR, an Nginx RCE can be combined with a local root exploit if the conditions are perfect 
The bug lives inside nginx’s rewrite engine. Specifically, it involves the interaction between three directive types:
rewritewith capture groups ($1,$2, etc.), asetdirective that includes a literal question mark in the replacement string, and a subsequent chainediforrewritedirective that inherits the rewrite context.
This does not apply to a standard Discourse installation.