CVE-2024-21624

09.02.2024, 23:15

nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.7 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
GitHub_M	CNA	5.7 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 36%

Vendor	Product	Version
nonebot	nonebot	2.0.1 ≤ 𝑥 < 2.2.0
nonebot	nonebot	2.0.0
nonebot	nonebot	2.0.0:alpha16
nonebot	nonebot	2.0.0:beta1
nonebot	nonebot	2.0.0:beta2
nonebot	nonebot	2.0.0:beta3
nonebot	nonebot	2.0.0:beta4
nonebot	nonebot	2.0.0:beta5
nonebot	nonebot	2.0.0:rc1
nonebot	nonebot	2.0.0:rc2
nonebot	nonebot	2.0.0:rc3
nonebot	nonebot	2.0.0:rc4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/nonebot/nonebot2/pull/2509

https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg

https://github.com/nonebot/nonebot2/pull/2509

https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg