Lucene search

GitHub_MCVELIST:CVE-2022-21669

HistoryJan 11, 2022 - 12:00 a.m.

CVE-2022-21669 Bot token exposed in main.py

2022-01-1100:00:00

CWE-798

GitHub_M

www.cve.org

puddingbot

token exposure

main.py

malicious actors

server update

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

55.4%

JSON

PuddingBot is a group management bot. In version 0.0.6-b933652 and prior, the bot token is publicly exposed in main.py, making it accessible to malicious actors. The bot token has been revoked and new version is already running on the server. As of time of publication, the maintainers are planning to update code to reflect this change at a later date.

CNA Affected

[
  {
    "vendor": "PuddingBot",
    "product": "pudding-bot",
    "versions": [
      {
        "version": "<= 0.0.6-b933652",
        "status": "affected"
      }
    ]
  }
]

References

github.com/PuddingBot/pudding-bot/commit/a5b15fb0a5be5fdbacba8ff7b2c8759d5e3ba20f

github.com/PuddingBot/pudding-bot/security/advisories/GHSA-cxgr-xpmj-9qjm

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

55.4%

JSON

Related for CVELIST:CVE-2022-21669