FKIE_CVE-2024-21624

Vulnerability from fkie_nvd - Published: 2024-02-09 23:15 - Updated: 2024-11-21 08:54
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.
References
security-advisories@github.comhttps://github.com/nonebot/nonebot2/pull/2509Issue Tracking, Patch
security-advisories@github.comhttps://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxgVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/nonebot/nonebot2/pull/2509Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxgVendor Advisory
Impacted products
Vendor Product Version
nonebot nonebot *
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
nonebot nonebot 2.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "48D76A37-92D4-435B-8E50-798D10E7E452",
              "versionEndExcluding": "2.2.0",
              "versionStartIncluding": "2.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "465F6B52-66C6-4227-9EDE-CE2B532DF86F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:alpha16:*:*:*:*:*:*",
              "matchCriteriaId": "E33D41DF-25CA-475D-A068-ABB2BB8F0756",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "6C2A7A44-E383-4FC5-9471-7F7D142EE5B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "97E334E2-1BBD-49F4-9DB6-6030539246B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "A73B180B-3EC8-4050-8E2F-F879097D5349",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "A4940243-0FAD-46CB-83AD-28D131B0C33D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "882E455A-7665-4E87-A000-24F3BAD30574",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "3735223E-557B-4B99-849F-EA965A478B12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "4AE1E1EC-D01B-41ED-8268-2725C67E92EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "00EAA913-619A-4999-866C-BC7F44E84FA9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "E3411B5D-14F4-4BA0-AF2A-CBF789F5BEE9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template."
    },
    {
      "lang": "es",
      "value": "nonebot2 es un framework de chatbot asincr\u00f3nico de Python multiplataforma escrito en Python. Este aviso de seguridad se refiere a una posible fuga de informaci\u00f3n (por ejemplo, variables de entorno) en casos en los que los desarrolladores utilizan \"MessageTemplate\" e incorporan datos proporcionados por el usuario en plantillas. La vulnerabilidad identificada se solucion\u00f3 en la solicitud de extracci\u00f3n n.\u00b0 2509 y se incluir\u00e1 en las versiones lanzadas a partir de la 2.2.0. Se recomienda encarecidamente a los usuarios que actualicen a estas versiones parcheadas para protegerse contra la vulnerabilidad. Una soluci\u00f3n temporal implica filtrar los guiones bajos antes de incorporar la entrada del usuario en la plantilla del mensaje."
    }
  ],
  "id": "CVE-2024-21624",
  "lastModified": "2024-11-21T08:54:44.910",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-09T23:15:08.553",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/nonebot/nonebot2/pull/2509"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/nonebot/nonebot2/pull/2509"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.