CVE-2024-21624

Published Feb 9, 2024

Last updated a year ago

CVSS medium 6.5

Overview

Description: nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.
Source: security-advisories@github.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity: MEDIUM

Weaknesses

nvd@nist.gov: NVD-CWE-noinfo
security-advisories@github.com: CWE-200

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "48D76A37-92D4-435B-8E50-798D10E7E452",
            "versionEndExcluding": "2.2.0",
            "versionStartIncluding": "2.0.1"
          },
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "465F6B52-66C6-4227-9EDE-CE2B532DF86F"
          },
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:alpha16:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E33D41DF-25CA-475D-A068-ABB2BB8F0756"
          },
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6C2A7A44-E383-4FC5-9471-7F7D142EE5B5"
          },
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "97E334E2-1BBD-49F4-9DB6-6030539246B5"
          },
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A73B180B-3EC8-4050-8E2F-F879097D5349"
          },
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A4940243-0FAD-46CB-83AD-28D131B0C33D"
          },
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "882E455A-7665-4E87-A000-24F3BAD30574"
          },
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3735223E-557B-4B99-849F-EA965A478B12"
          },
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4AE1E1EC-D01B-41ED-8268-2725C67E92EC"
          },
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "00EAA913-619A-4999-866C-BC7F44E84FA9"
          },
          {
            "criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E3411B5D-14F4-4BA0-AF2A-CBF789F5BEE9"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References