In Red Discord Bot before version 3.3.11, a RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with…
GitHub_M·CWE-74·Published 2020-08-21
In Red Discord Bot before version 3.3.11, a RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module's leaderboard command. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. This critical exploit has been fixed on version 3.3.11.
In Red Discord Bot before version 3.3.11, a RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module's leaderboard command. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. This critical exploit has been fixed on version 3.3.11.
In Red Discord Bot before version 3.3.11, a RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module's leaderboard command. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. This critical exploit has been fixed on version 3.3.11.
### Impact A RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module's leaderboard command. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information. ### Patches This critical exploit has been fixed on version 3.3.11. ### Workarounds Unloading the Trivia module with ``unload trivia`` can render this exploit not accessible. We still highly recommend updating to 3.3.11 to completely patch this issue. ### References https://github.com/Cog-Creators/Red-DiscordBot/pull/4175 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Cog-Creators/Red-DiscordBot](https://github.com/Cog-Creators/Red-DiscordBot) * Over on our [Discord server](https://discord.gg/red)
En Red Discord Bot versiones anteriores a versión 3.3.11, se detectó una explotación de RCE en el módulo Trivia: esta explotación permite a usuarios de Discord con nombres de usuario específicamente diseñados inyectar código en el comando de la tabla de clasificación del módulo Trivia. Al abusar de esta explotación, es posible llevar a cabo acciones destructivas y / o acceder a información confidencial. Esta explotación crítica se ha corregido en la versión 3.3.11.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.5 | 8.0 | 4.9 | AV:N/AC:L/Au:S/C:P/I:P/A:N |
| 3.1 | Primary | NVD | 9.6 | 3.1 | 5.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| 3.1 | Primary | cve.org | 8.2 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N |
| 3.1 | Primary | cve.org | 8.2 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N |
| 3.1 | Secondary | NVD | 8.2 | 1.8 | 5.8 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N |
| 3.1 | Secondary | GHSA | 8.2 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N |
| 4.0 | Secondary | GHSA | 5.3 | — | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N |