fkie_cve-2024-21624
Vulnerability from fkie_nvd
Published
2024-02-09 23:15
Modified
2024-11-21 08:54
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.
References
security-advisories@github.comhttps://github.com/nonebot/nonebot2/pull/2509Issue Tracking, Patch
security-advisories@github.comhttps://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxgVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/nonebot/nonebot2/pull/2509Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxgVendor Advisory
Impacted products
Vendor Product Version
nonebot nonebot *
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "48D76A37-92D4-435B-8E50-798D10E7E452",
              "versionEndExcluding": "2.2.0",
              "versionStartIncluding": "2.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "465F6B52-66C6-4227-9EDE-CE2B532DF86F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:alpha16:*:*:*:*:*:*",
              "matchCriteriaId": "E33D41DF-25CA-475D-A068-ABB2BB8F0756",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "6C2A7A44-E383-4FC5-9471-7F7D142EE5B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "97E334E2-1BBD-49F4-9DB6-6030539246B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "A73B180B-3EC8-4050-8E2F-F879097D5349",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "A4940243-0FAD-46CB-83AD-28D131B0C33D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "882E455A-7665-4E87-A000-24F3BAD30574",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "3735223E-557B-4B99-849F-EA965A478B12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "4AE1E1EC-D01B-41ED-8268-2725C67E92EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "00EAA913-619A-4999-866C-BC7F44E84FA9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "E3411B5D-14F4-4BA0-AF2A-CBF789F5BEE9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template."
    },
    {
      "lang": "es",
      "value": "nonebot2 es un framework de chatbot asincr\u00f3nico de Python multiplataforma escrito en Python. Este aviso de seguridad se refiere a una posible fuga de informaci\u00f3n (por ejemplo, variables de entorno) en casos en los que los desarrolladores utilizan \"MessageTemplate\" e incorporan datos proporcionados por el usuario en plantillas. La vulnerabilidad identificada se solucion\u00f3 en la solicitud de extracci\u00f3n n.\u00b0 2509 y se incluir\u00e1 en las versiones lanzadas a partir de la 2.2.0. Se recomienda encarecidamente a los usuarios que actualicen a estas versiones parcheadas para protegerse contra la vulnerabilidad. Una soluci\u00f3n temporal implica filtrar los guiones bajos antes de incorporar la entrada del usuario en la plantilla del mensaje."
    }
  ],
  "id": "CVE-2024-21624",
  "lastModified": "2024-11-21T08:54:44.910",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-09T23:15:08.553",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/nonebot/nonebot2/pull/2509"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/nonebot/nonebot2/pull/2509"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.