CVE-2024-21624
Published Feb 9, 2024
Last updated 9 months ago
Overview
- Description
- nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
Weaknesses
- nvd@nist.gov
- NVD-CWE-noinfo
- security-advisories@github.com
- CWE-200
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nonebot:nonebot:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "48D76A37-92D4-435B-8E50-798D10E7E452",
"versionEndExcluding": "2.2.0",
"versionStartIncluding": "2.0.1"
},
{
"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "465F6B52-66C6-4227-9EDE-CE2B532DF86F"
},
{
"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:alpha16:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E33D41DF-25CA-475D-A068-ABB2BB8F0756"
},
{
"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "6C2A7A44-E383-4FC5-9471-7F7D142EE5B5"
},
{
"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "97E334E2-1BBD-49F4-9DB6-6030539246B5"
},
{
"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A73B180B-3EC8-4050-8E2F-F879097D5349"
},
{
"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A4940243-0FAD-46CB-83AD-28D131B0C33D"
},
{
"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "882E455A-7665-4E87-A000-24F3BAD30574"
},
{
"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3735223E-557B-4B99-849F-EA965A478B12"
},
{
"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4AE1E1EC-D01B-41ED-8268-2725C67E92EC"
},
{
"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "00EAA913-619A-4999-866C-BC7F44E84FA9"
},
{
"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E3411B5D-14F4-4BA0-AF2A-CBF789F5BEE9"
}
],
"operator": "OR"
}
]
}
]