CVE-2024-21624
Potential Information Leak in User-Constructed Message Templates in nonebot2
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.
nonebot2 es un framework de chatbot asincrónico de Python multiplataforma escrito en Python. Este aviso de seguridad se refiere a una posible fuga de información (por ejemplo, variables de entorno) en casos en los que los desarrolladores utilizan "MessageTemplate" e incorporan datos proporcionados por el usuario en plantillas. La vulnerabilidad identificada se solucionó en la solicitud de extracción n.° 2509 y se incluirá en las versiones lanzadas a partir de la 2.2.0. Se recomienda encarecidamente a los usuarios que actualicen a estas versiones parcheadas para protegerse contra la vulnerabilidad. Una solución temporal implica filtrar los guiones bajos antes de incorporar la entrada del usuario en la plantilla del mensaje.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-12-29 CVE Reserved
- 2024-02-09 CVE Published
- 2024-02-17 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/nonebot/nonebot2/pull/2509 | 2024-02-16 |
URL | Date | SRC |
---|---|---|
https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg | 2024-02-16 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | >= 2.0.1 < 2.2.0 Search vendor "Nonebot" for product "Nonebot" and version " >= 2.0.1 < 2.2.0" | - |
Affected
| ||||||
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | 2.0.0 Search vendor "Nonebot" for product "Nonebot" and version "2.0.0" | - |
Affected
| ||||||
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | 2.0.0 Search vendor "Nonebot" for product "Nonebot" and version "2.0.0" | alpha16 |
Affected
| ||||||
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | 2.0.0 Search vendor "Nonebot" for product "Nonebot" and version "2.0.0" | beta1 |
Affected
| ||||||
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | 2.0.0 Search vendor "Nonebot" for product "Nonebot" and version "2.0.0" | beta2 |
Affected
| ||||||
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | 2.0.0 Search vendor "Nonebot" for product "Nonebot" and version "2.0.0" | beta3 |
Affected
| ||||||
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | 2.0.0 Search vendor "Nonebot" for product "Nonebot" and version "2.0.0" | beta4 |
Affected
| ||||||
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | 2.0.0 Search vendor "Nonebot" for product "Nonebot" and version "2.0.0" | beta5 |
Affected
| ||||||
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | 2.0.0 Search vendor "Nonebot" for product "Nonebot" and version "2.0.0" | rc1 |
Affected
| ||||||
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | 2.0.0 Search vendor "Nonebot" for product "Nonebot" and version "2.0.0" | rc2 |
Affected
| ||||||
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | 2.0.0 Search vendor "Nonebot" for product "Nonebot" and version "2.0.0" | rc3 |
Affected
| ||||||
Nonebot Search vendor "Nonebot" | Nonebot Search vendor "Nonebot" for product "Nonebot" | 2.0.0 Search vendor "Nonebot" for product "Nonebot" and version "2.0.0" | rc4 |
Affected
|