Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU1ajktODQ5eC0yNmg0

Remote Code Execution in Red Discord Bot

Impact

A RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module's leaderboard command. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.

Patches

This critical exploit has been fixed on version 3.3.11.

Workarounds

Unloading the Trivia module with unload trivia can render this exploit not accessible. We still highly recommend updating to 3.3.11 to completely patch this issue.

References

https://github.com/Cog-Creators/Red-DiscordBot/pull/4175

For more information

If you have any questions or comments about this advisory:

• Open an issue in Cog-Creators/Red-DiscordBot
• Over on our Discord server

Permalink: https://github.com/advisories/GHSA-55j9-849x-26h4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU1ajktODQ5eC0yNmg0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: 3 months ago

CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Percentage: 0.00063
EPSS Percentile: 0.285

Identifiers: GHSA-55j9-849x-26h4, CVE-2020-15140
References:

• https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-55j9-849x-26h4
• https://github.com/Cog-Creators/Red-DiscordBot/pull/4175/commits/9ab536235bafc2b42c3c17d7ce26f1cc64482a81
• https://nvd.nist.gov/vuln/detail/CVE-2020-15140
• https://github.com/pypa/advisory-database/tree/main/vulns/red-discordbot/PYSEC-2020-265.yaml
• https://github.com/advisories/GHSA-55j9-849x-26h4

Repository: https://github.com/Cog-Creators/Red-DiscordBot
Blast Radius: 11.0

Affected Packages