Lucene search

GitHub_MCVELIST:CVE-2021-32646

HistoryMay 28, 2021 - 5:40 p.m.

CVE-2021-32646 Escalation of permissions in roomer

2021-05-2817:40:10

CWE-287

GitHub_M

www.cve.org

discord bot cog

permission escalation

vulnerability

private voice channel

patched version

workaround

server security

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

42.3%

JSON

Roomer is a discord bot cog (extension) which provides automatic voice channel generation as well as private voice and text channels. A vulnerability has been discovered allowing discord users to get the manage channel permissions in a private VC they have joined. This allowed them to make changes to or delete the voice channel they have taken over. The exploit does not allow access or control to any other channels in the server. Upgrade to version 1.0.1 for a patched version of the cog. As a workaround you may disable private VCs in your guild(server) or unload the roomer cog to render the exploit unusable.

CNA Affected

[
  {
    "product": "Dav-Cogs",
    "vendor": "Dav-Git",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.0.1"
      }
    ]
  }
]

References

github.com/Dav-Git/Dav-Cogs/commit/fbe2ae8ec851a2e9e3e2370db3b812f268e8c8cb

github.com/Dav-Git/Dav-Cogs/security/advisories/GHSA-3f73-8j6q-28v8

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

42.3%

JSON

Related for CVELIST:CVE-2021-32646