Lucene search

GitHub_MCVELIST:CVE-2021-29502

HistoryMay 10, 2021 - 5:20 p.m.

CVE-2021-29502 Remote code execution in the WarnSystem module of Laggrons-Dumb-Cogs

2021-05-1017:20:10

CWE-74

GitHub_M

www.cve.org

cve-2021-29502

remote code execution

warnsystem module

laggrons-dumb-cogs

red discord bot

vulnerability

sensitive information

template

sanitized

patch

version 1.3.18

update

!warnsysteminfo

workaround

unload

disable command

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

26.4%

JSON

WarnSystem is a cog (plugin) for the Red discord bot. A vulnerability has been found in the code that allows any user to access sensible informations by setting up a specific template which is not properly sanitized. The problem has been patched in version 1.3.18. Users should update and type !warnsysteminfo to check that their version is 1.3.18 or above. As a workaround users may unload the WarnSystem cog or disable the !warnset description command globally.

CNA Affected

[
  {
    "product": "Laggrons-Dumb-Cogs",
    "vendor": "retke",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.3.18"
      }
    ]
  }
]

References

github.com/retke/Laggrons-Dumb-Cogs/commit/c79dd2cc879989cf2018e76ba2aad0baef3b4ec8

github.com/retke/Laggrons-Dumb-Cogs/security/advisories/GHSA-834g-67vv-m9wq

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

26.4%

JSON

Related for CVELIST:CVE-2021-29502