CVE-2024-21624

nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nonebot/nonebot2/pull/2509	Issue Tracking Patch
https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nonebot:nonebot::::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:-::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:alpha16::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:beta1::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:beta2::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:beta3::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:beta4::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:beta5::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:rc1::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:rc2::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:rc3::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:rc4::::::

History

16 Feb 2024, 13:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:nonebot:nonebot:2.0.0:beta1:::::: cpe:2.3:a:nonebot:nonebot:2.0.0:beta4:::::: cpe:2.3:a:nonebot:nonebot:2.0.0:rc2:::::: cpe:2.3:a:nonebot:nonebot:2.0.0:rc1:::::: cpe:2.3:a:nonebot:nonebot:2.0.0:-:::::: cpe:2.3:a:nonebot:nonebot:2.0.0:alpha16:::::: cpe:2.3:a:nonebot:nonebot:2.0.0:beta2:::::: cpe:2.3:a:nonebot:nonebot:2.0.0:rc4:::::: cpe:2.3:a:nonebot:nonebot:2.0.0:beta5:::::: cpe:2.3:a:nonebot:nonebot:::::::: cpe:2.3:a:nonebot:nonebot:2.0.0:rc3:::::: cpe:2.3:a:nonebot:nonebot:2.0.0:beta3::::::
Summary		(es) nonebot2 es un framework de chatbot asincrónico de Python multiplataforma escrito en Python. Este aviso de seguridad se refiere a una posible fuga de información (por ejemplo, variables de entorno) en casos en los que los desarrolladores utilizan "MessageTemplate" e incorporan datos proporcionados por el usuario en plantillas. La vulnerabilidad identificada se solucionó en la solicitud de extracción n.° 2509 y se incluirá en las versiones lanzadas a partir de la 2.2.0. Se recomienda encarecidamente a los usuarios que actualicen a estas versiones parcheadas para protegerse contra la vulnerabilidad. Una solución temporal implica filtrar los guiones bajos antes de incorporar la entrada del usuario en la plantilla del mensaje.
CVSS	v2 : ~~unknown~~ v3 : ~~5.7~~	v2 : unknown v3 : 6.5
References	~~() https://github.com/nonebot/nonebot2/pull/2509 -~~	() https://github.com/nonebot/nonebot2/pull/2509 - Issue Tracking, Patch
References	~~() https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg -~~	() https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg - Vendor Advisory
First Time		Nonebot Nonebot nonebot
CWE		NVD-CWE-noinfo

09 Feb 2024, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-09 23:15

Updated : 2024-02-16 13:52

NVD link : CVE-2024-21624

Mitre link : CVE-2024-21624

CVE.ORG link : CVE-2024-21624

JSON object : View

Products Affected

nonebot

nonebot

CWE

NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

6.5 /10