Lucene search

GitHub_MCVELIST:CVE-2022-39302

HistoryOct 13, 2022 - 12:00 a.m.

CVE-2022-39302 Ree6 may bypass webhook protection

2022-10-1300:00:00

CWE-863

GitHub_M

www.cve.org

cve-2022-39302

ree6

webhook protection

vulnerability

raid protection

log messages

mass advertisements

patch 1.9.9

workarounds

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

19.5%

JSON

Ree6 is a moderation bot. This vulnerability would allow other server owners to create configurations such as “Better-Audit-Logging” which contain a channel from another server as a target. This would mean you could send log messages to another Guild channel and bypass raid and webhook protections. A specifically crafted log message could allow spamming and mass advertisements. This issue has been patched in version 1.9.9. There are currently no known workarounds.

CNA Affected

[
  {
    "vendor": "Ree6-Applications",
    "product": "Ree6",
    "versions": [
      {
        "version": "< 1.9.9",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Ree6-Applications/Ree6/commit/459b5bc24f0ea27e50031f563373926e94b9aa0a

github.com/Ree6-Applications/Ree6/security/advisories/GHSA-v574-xgcf-5w8x